Thank-you Thomas.
On 2020-08-10 21:50, Thomas Bruederli wrote:
Dear subscribers
We just published security updates to the stable version 1.4 and the
LTS versions 1.3 and 1.2 of Roundcube Webmail.
They all contain two recently reported cross-site scripting (XSS)
vulnerabilities. The 1.4.8 release also contains a number of general
improvements from our issue tracker [1].
Security fixes:
* Fix cross-site scripting (XSS) via HTML messages with malicious svg
content (CVE-2020-16145)
* Fix cross-site scripting (XSS) via HTML messages with malicious math
content
Credits for these two findings go to Ćukasz Pilorz from Pentesters [2].
See the full changelogs in the release notes on the Github download
pages for the updated versions.
We strongly recommend updating all productive installations of
Roundcube
with these new versions. Download the latest tarballs from
https://roundcube.net/download
Best,
Alec & Thomas
[1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.8
[2] https://www.pentesters.pl/
_______________________________________________
Roundcube Users mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/users
_______________________________________________
Roundcube Users mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/users
