Source: roundcube Version: 1.6.3+dfsg-2 Severity: important Tags: security upstream Control: found -1 1.3.17+dfsg.1-1~deb10u3 Control: found -1 1.4.14+dfsg.1-1~deb11u1 Control: found -1 1.6.3+dfsg-1~deb12u1 Control: forwarded -1 https://github.com/roundcube/roundcubemail/issues/9168
In a recent post roundcube webmail upstream has announced the following security fix: * Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages. AFAICT no CVE ID has been assigned or requested yet, so I'll file a request to that effect. Upstream fixes for stable and LTS branches: 1.6.x https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d 1.4.x https://github.com/roundcube/roundcubemail/commit/7b2df52ede57bab9e87e9c3bc00601eeca591a5e https://github.com/roundcube/roundcubemail/commit/dc7b6850c68870570b438d79c0949a5031522127 1.3.x is no longer supported upstream but AFAICT affected nonetheless. -- Guilhem.
signature.asc
Description: PGP signature