[Pkg-roundcube-maintainers] Bug#1122899: roundcube: XSS and information disclosure vulnerabilities
Salvatore Bonaccorso
carnil at debian.org
Thu Dec 18 06:39:59 GMT 2025
Control: retitle -1 roundcube: XSS (CVE-2025-68461) and information disclosure (CVE-2025-68460)
Hi Guilhem,
On Sun, Dec 14, 2025 at 02:32:27PM +0100, Salvatore Bonaccorso wrote:
> Hi Guilhem,
>
> On Sun, Dec 14, 2025 at 11:19:35AM +0100, Guilhem Moulin wrote:
> > Source: roundcube
> > Version: 1.6.11+dfsg-1
> > Severity: important
> > Control: found -1 1.6.5+dfsg-1+deb12u5
> > Control: found -1 1.4.15+dfsg.1-1+deb11u5
> > Tags: security upstream
> > X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
> >
> > Roundcube webmail upstream has recently released 1.6.12 [0] which fixes
> > the following vulnerabilities:
> >
> > * Cross-Site-Scripting vulnerability via SVG's animate tag (reported by
> > Valentin T., CrowdStrike).
> > https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb
> >
> > * Information Disclosure vulnerability in the HTML style sanitizer
> > (reported by somerandomdev).
> > https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571
> >
> > AFAICT no CVE-ID have been published for these issues. Will request
> > them shortly if no one beats me to it.
>
> Not sure if you requested them already, but I have done so now via
> MITRE CNA.
Two CVEs has been assigned, they are:
CVE-2025-68460:
https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571
CVE-2025-68461:
https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb
Regards,
Salvatore
More information about the Pkg-roundcube-maintainers
mailing list