[Pkg-roundcube-maintainers] Bug#455840: CVE-2007-6321: Cross-site scripting (XSS) vulnerability
Vincent Bernat
bernat at luffy.cx
Wed Jan 2 18:40:26 UTC 2008
OoO En ce milieu de nuit étoilée du mercredi 12 décembre 2007, vers
03:46, Micah Anderson <micah at debian.org> disait:
> CVE-2007-6321 details a XSS vulnerability in Roundcube 0.1rc2 and
> earlier. Its only affects users of IE who are using roundcube, so it may
> seem unimportant, but the sad fact of the matter is many people
> still use that browser and most people who run webmail are likely to be
> visited by IE users.
> Please mention this CVE in any changelogs that address this issue. When
> a fix is available, please upload with urgency=high to speed up
> migration to testing. If you have any questions or need help, visit us
> in channel #debian-security on OFTC.
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6321
> Reference: BUGTRAQ:20071209 Unsanitized scripting in RoundCube webmail
> Reference: http://www.securityfocus.com/archive/1/archive/1/484802/100/0/threaded
> Reference: http://openmya.hacker.jp/hasegawa/security/expression.txt
> Reference: XF:roundcube-email-messages-xss(38981)
> Reference: URL:http://xforce.iss.net/xforce/xfdb/38981
There is a proposition from Roundcube dev here:
http://lists.roundcube.net/mail-archive/dev/2007-12/0000038.html
I have tested it with ie4linux and it seems that it is still
vulnerable. Could someone else check this?
I attach the patch as well.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ie-xss.200712131255.patch
Type: text/x-diff
Size: 6494 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20080102/ee8e5e37/attachment.patch
More information about the Pkg-roundcube-maintainers
mailing list