[Pkg-roundcube-maintainers] Bug#978491: roundcube: CVE-2020-35730: XSS vulnerability via malious HTML or plaintext messages

Guilhem Moulin guilhem at debian.org
Mon Dec 28 00:31:11 GMT 2020


Source: roundcube
Severity: important
Tags: security
Control: found -1 1.4.9+dfsg.1-1
Control: found -1 1.3.15+dfsg.1-1~deb10u1
Control: found -1 1.2.3+dfsg.1-4+deb9u7

In a recent post roundcube webmail upstream has announced the following
security fix:

    Cross-site scripting (XSS) via HTML or Plain text messages with
    malicious content (CVE-2020-35730)

1.2.x, 1.3.x and 1.4.x branches are affected.  Upstream fix:

    1.4.x https://github.com/roundcube/roundcubemail/commit/0bceba301aa621ecc0263eac17beee2a4cef0c6d
    1.3.x https://github.com/roundcube/roundcubemail/commit/a06ec1dcf9c972d302b16e1ac6aa079a4f6a1c3e
    1.2.x https://github.com/roundcube/roundcubemail/commit/47e4d44f62ea16f923761d57f1773a66d51afad4

-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20201228/774fa258/attachment.sig>


More information about the Pkg-roundcube-maintainers mailing list