[Pkg-roundcube-maintainers] Bug#1122899: roundcube: XSS and information disclosure vulnerabilities
Guilhem Moulin
guilhem at debian.org
Sun Dec 14 10:19:35 GMT 2025
Source: roundcube
Version: 1.6.11+dfsg-1
Severity: important
Control: found -1 1.6.5+dfsg-1+deb12u5
Control: found -1 1.4.15+dfsg.1-1+deb11u5
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Roundcube webmail upstream has recently released 1.6.12 [0] which fixes
the following vulnerabilities:
* Cross-Site-Scripting vulnerability via SVG's animate tag (reported by
Valentin T., CrowdStrike).
https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb
* Information Disclosure vulnerability in the HTML style sanitizer
(reported by somerandomdev).
https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571
AFAICT no CVE-ID have been published for these issues. Will request
them shortly if no one beats me to it.
--
Guilhem.
[0] https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20251214/2502b8d6/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list