Red Hat Bugzilla – Bug 476223
CVE-2008-5619 roundcubemail: Remotely exploitable code injection vulnerability
Last modified: 2008-12-17 10:10:04 EST
A remotely exploitable code injection vulnerability has been found in
the RoundCube Webmail browser-based multilingual IMAP client due
to insufficient sanitization of certain HTML tags. A remote attacker could
use this flaw to potentially inject and execute arbitrary code
via HTML POST form request with specially-crafted HTML tags.
This issue affects all versions of the roundcubemail package, as shipped
with Fedora releases of 8, 9 and 10.
Please apply the above patch and update.
roundcubemail-0.2-4.beta.fc10 has been submitted as an update for Fedora 10.
roundcubemail-0.2-4.beta.fc9 has been submitted as an update for Fedora 9.
roundcubemail-0.2-4.beta.fc8 has been submitted as an update for Fedora 8.
roundcubemail-0.2-4.beta.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
roundcubemail-0.2-4.beta.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
roundcubemail-0.2-4.beta.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5619 to
html2text.php in RoundCube Webmail (roundcubemail) 0.2-1.alpha and
0.2-3.beta allows remote attackers to execute arbitrary code via
crafted input that is processed by the preg_replace function with the