[Pkg-roundcube-maintainers] Bug#514179: CVE-2009-0413: possible XSS issue

Vincent Bernat bernat at debian.org
Fri Feb 6 06:38:06 UTC 2009

OoO En cette nuit nuageuse du jeudi 05 février 2009, vers 00:13, Steffen
Joeris <steffen.joeris at skolelinux.de> disait :

> Package: roundcube
> Version: 0.2~alpha-4
> Severity: important
> Tags: security

> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for roundcube.

> CVE-2009-0413[0]:
> | Cross-site scripting (XSS) vulnerability in RoundCube Webmail
> | (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary
> | web script or HTML via the background attribute embedded in an HTML
> | e-mail message.

> This bugreport concerns the experimental version. The other versions
> don't seem to be affected after a quick glance. The published upstream
> patch is here[1].

> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.

Hi Steffen!

From  my knowledge,  0.1.1 and  0.2alpha  are not  affected because  the
background attribute is not accepted at all.

The patch also fixes  a regexp and I don't know if  this is related to a
security issue. I will ask upstream about this.

Until  I get  a confirmation,  I leave  the report  as is.  I  hope that
roundcube won't be removed from lenny. ;-)

Thanks for the report.
BOFH excuse #328:
Fiber optics caused gas main leak
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20090206/d056e62e/attachment.pgp 

More information about the Pkg-roundcube-maintainers mailing list