Bug 909289 (CVE-2012-6121) - CVE-2012-6121 roundcubemail: Cross-site scripting (XSS) in vbscript: and data:text URL handling
Summary: CVE-2012-6121 roundcubemail: Cross-site scripting (XSS) in vbscript: and data...
Status: CLOSED ERRATA
Alias: CVE-2012-6121
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20121203,repor...
Keywords: Security
Depends On: 909304 909306
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-02-08 14:55 UTC by Jan Lieskovsky
Modified: 2016-03-04 12:07 UTC (History)
4 users (show)

Fixed In Version: roundcubemail-0.8.5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-26 15:41:22 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Jan Lieskovsky 2013-02-08 14:55:29 UTC
A cross-site scripting (XSS) flaws were round in the way Round Cube Webmail, a browser-based multilingual IMAP client, performed sanitization of 'data' and 'vbscript' URLs. A remote attacker could provide a specially-crafted URL that, when opened would lead to arbitrary JavaScript, VisualBasic script or HTML code execution in the context of Round Cube Webmail's user session.

Upstream ticket:
[1] http://trac.roundcube.net/ticket/1488850

Further details:
[2] http://trac.roundcube.net/attachment/ticket/1488850/RoundCube2XSS.pdf

Upstream patch:
[3] https://github.com/roundcube/roundcubemail/commit/74cd0a9b62f11bc07c5a1d3ba0098b54883eb0ba

References:
[4] http://sourceforge.net/news/?group_id=139281&id=310213
[5] http://www.openwall.com/lists/oss-security/2013/02/07/11
[6] http://www.openwall.com/lists/oss-security/2013/02/08/1

Comment 1 Jan Lieskovsky 2013-02-08 14:58:22 UTC
This issue affects the versions of the roundcubemail, as shipped with Fedora release of 16, 17, and 18. Please schedule an update.

--

This issue affects the version of the roundcubemail, as shipped with Fedora EPEL 6. Please schedule an update.

Comment 2 Jan Lieskovsky 2013-02-08 15:02:12 UTC
This issue did NOT affect the version of the roundcubemail package, as shipped with Fedora EPEL 5.

Comment 3 Jan Lieskovsky 2013-02-08 15:03:50 UTC
Created roundcubemail tracking bugs for this issue

Affects: fedora-all [bug 909304]
Affects: epel-6 [bug 909306]


Note You need to log in before you can comment on or make changes to this bug.