Two XSS flaws were fixed in roundcube 0.9.3 [1]: * Fix XSS vulnerability when saving HTML signatures [2],[3] * Fix XSS vulnerability when editing a message "as new" or draft [2],[4] [1] http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3 [2] http://trac.roundcube.net/ticket/1489251 [3] http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github [4] http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github
Created roundcubemail tracking bugs for this issue: Affects: fedora-all [bug 1000511] Affects: epel-6 [bug 1000512]
These were assigned CVEs as follows: http://www.openwall.com/lists/oss-security/2013/08/28/4 All aspects of CVE-2013-5645 were discovered by und3r. These are all CVE-2013-5645 references: * http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3 * http://trac.roundcube.net/ticket/1489251 * http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github * http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github http://trac.roundcube.net/ticket/1489251 is the only CVE-2013-5646 reference that we know of at the moment.