[Pkg-roundcube-maintainers] Bug#721592: roundcube: CVE-2013-5645
Salvatore Bonaccorso
carnil at debian.org
Mon Sep 2 06:31:27 UTC 2013
Package: roundcube
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for roundcube.
CVE-2013-5645[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in Roundcube
| webmail before 0.9.3 allow user-assisted remote attackers to inject
| arbitrary web script or HTML via the body of a message visited in (1)
| new or (2) draft mode, related to compose.inc; and (3) might allow
| remote authenticated users to inject arbitrary web script or HTML via
| an HTML signature, related to save_identity.inc.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5645
http://security-tracker.debian.org/tracker/CVE-2013-5645
[1] http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github
[2] http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github
[3] http://trac.roundcube.net/ticket/1489251
[4] http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3
Please adjust the affected versions in the BTS as needed. At least
0.9.2 looks affected.
Regards,
Salvatore
More information about the Pkg-roundcube-maintainers
mailing list