[Pkg-roundcube-maintainers] Bug#968216: roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious svg or math content

Guilhem Moulin guilhem at debian.org
Tue Aug 11 00:19:17 BST 2020


Source: roundcube
Severity: important
Tags: security
Control: found -1 1.4.7+dfsg.2-1
Control: found -1 1.3.14+dfsg.1-1~deb10u1
Control: found -1 1.2.3+dfsg.1-4+deb9u5

In a recent post roundcube webmail upstream has announced the following
security fix:

    Cross-site scripting (XSS) via HTML messages with malicious svg
    or math content (CVE-2020-16145)

1.2.x, 1.3.x and 1.4.x branches are affected.  Upstream fix:

    1.4.x https://github.com/roundcube/roundcubemail/commit/a71bf2e8d4a64ff2c83fdabc1e8cb0c045a41ef4
    1.3.x https://github.com/roundcube/roundcubemail/commit/d44ca2308a96576b88d6bf27528964d4fe1a6b8b
    1.2.x https://github.com/roundcube/roundcubemail/commit/589d36010048300ed39f4887aab1afd3ae98d00e

-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20200811/90572899/attachment.sig>


More information about the Pkg-roundcube-maintainers mailing list