[Pkg-roundcube-maintainers] Bug#964355: roundcube: Cross-Site Scripting (XSS) vulnerability via HTML messages with malicious svg/namespace
Guilhem Moulin
guilhem at debian.org
Sun Jul 5 22:39:04 BST 2020
Source: roundcube
Severity: important
Tags: security
Control: found -1 1.4.6+dfsg.1-3
Control: found -1 1.3.13+dfsg.1-1~deb10u1
Control: found -1 1.2.3+dfsg.1-4+deb9u5
AFAICT no CVE was assigned for this yet. 1.2.x, 1.3.x and 1.4.x
branches are affected. Upstream fix:
1.4.x https://github.com/roundcube/roundcubemail/commit/3e8832d029b035e3fcfb4c75839567a9580b4f82
1.3.x https://github.com/roundcube/roundcubemail/commit/19502419757a976dbd55ce5a746610c5bab7896b
1.2.x https://github.com/roundcube/roundcubemail/commit/f3d1566cf223eb04f47b6dfffcd88753f66c36ee
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20200705/99b6208c/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list