An XSS flaw was reported  in roundcube's message handling functionality. It has been fixed  upstream in r5037.
Created roundcubemail tracking bugs for this issue
Affects: fedora-all [bug 731787]
Affects: epel-6 [bug 731788]
This was assigned the name CVE-2011-2937 and is addressed in 0.5.4: