[Pkg-roundcube-maintainers] roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious SVG or math content
Roberto C. Sánchez
roberto at debian.org
Tue Aug 11 18:40:49 BST 2020
On Tue, Aug 11, 2020 at 07:11:57PM +0200, Guilhem Moulin wrote:
> Dear security team,
>
> In a recent post roundcube webmail upstream has announced the following
> security fix for #968216:
>
> Cross-site scripting (XSS) via HTML messages with malicious SVG
> or math content (CVE-2020-16145)
>
> AFAICT CVE-2020-16145 is only about SVG not math, but the upstream
> commit addresses both so I opened a single bug:
> https://github.com/roundcube/roundcubemail/commit/589d36010048300ed39f4887aab1afd3ae98d00e
>
> Debdiff tested and attached, but I'd appreciate if you could take care
> of the DLA :-)
>
> Thanks!
> Cheers,
> --
> Guilhem.
Hi Guilhem,
I'll take care of it shortly.
Regards,
-Roberto
--
Roberto C. Sánchez
More information about the Pkg-roundcube-maintainers
mailing list