Bug 828556 (CVE-2012-1253)

Summary: CVE-2012-1253 roundcubemail: XSS flaw fixed in 0.7
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cwickert, limburgher, mhlavink
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20111214,reported=20120604,source=cve,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,epel-all/roundcubemail=affected,fedora-16/roundcubemail=affected,cwe=CWE-79[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-26 15:26:55 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 828557, 828558    
Bug Blocks:    

Description Vincent Danen 2012-06-04 17:43:11 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-1253 to
the following vulnerability:

Name: CVE-2012-1253
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1253
Assigned: 20120221
Reference: http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.7/
Reference: JVN:JVN#21422837
Reference: http://jvn.jp/en/jp/JVN21422837/index.html
Reference: JVNDB:JVNDB-2012-000050
Reference: http://jvndb.jvn.jp/jvndb/JVNDB-2012-000050

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before
0.7, when Internet Explorer is used, allows remote attackers to inject
arbitrary web script or HTML via vectors involving an embedded image
Comment 1 Vincent Danen 2012-06-04 17:44:19 EDT
Created roundcubemail tracking bugs for this issue

Affects: epel-all [bug 828557]
Affects: fedora-16 [bug 828558]