Bug#1054079: roundcube: cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages

Guilhem Moulin Mon, 16 Oct 2023 11:27:12 -0700

Source: roundcube
Version: 1.6.3+dfsg-2
Severity: important
Tags: security upstream
Control: found -1 1.3.17+dfsg.1-1~deb10u3
Control: found -1 1.4.14+dfsg.1-1~deb11u1
Control: found -1 1.6.3+dfsg-1~deb12u1
Control: forwarded -1 https://github.com/roundcube/roundcubemail/issues/9168


In a recent post roundcube webmail upstream has announced the
following security fix:

 * Fix cross-site scripting (XSS) vulnerability in handling of SVG in
   HTML messages.

AFAICT no CVE ID has been assigned or requested yet, so I'll file a
request to that effect.  Upstream fixes for stable and LTS branches:

    1.6.x 
https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d
    1.4.x 
https://github.com/roundcube/roundcubemail/commit/7b2df52ede57bab9e87e9c3bc00601eeca591a5e
          
https://github.com/roundcube/roundcubemail/commit/dc7b6850c68870570b438d79c0949a5031522127

1.3.x is no longer supported upstream but AFAICT affected nonetheless.

-- 
Guilhem.

signature.asc
Description: PGP signature

Bug#1054079: roundcube: cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages

Reply via email to