[Pkg-roundcube-maintainers] Bug#514179: CVE-2009-0413: possible XSS issue

Steffen Joeris steffen.joeris at skolelinux.de
Wed Feb 4 23:13:05 UTC 2009


Package: roundcube
Version: 0.2~alpha-4
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for roundcube.

CVE-2009-0413[0]:
| Cross-site scripting (XSS) vulnerability in RoundCube Webmail
| (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary
| web script or HTML via the background attribute embedded in an HTML
| e-mail message.

This bugreport concerns the experimental version. The other versions
don't seem to be affected after a quick glance. The published upstream
patch is here[1].

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0413
    http://security-tracker.debian.net/tracker/CVE-2009-0413
[1] http://trac.roundcube.net/changeset/2245





More information about the Pkg-roundcube-maintainers mailing list