Common Vulnerabilities and Exposures assigned an identifier CVE-2012-3507 to the following vulnerability: Name: CVE-2012-3507 Reference: MLIST:[oss-security] 20120820 CVE-request: Roundcube XSS issues Reference: URL:http://www.openwall.com/lists/oss-security/2012/08/20/2 Reference: MLIST:[oss-security] 20120820 Re: CVE-request: Roundcube XSS issues Reference: URL:http://www.openwall.com/lists/oss-security/2012/08/20/9 Reference: MLIST:[oss-security] 20120820 Re: CVE-request: Roundcube XSS issues Reference: URL:http://www.openwall.com/lists/oss-security/2012/08/20/3 Reference: MISC:http://www.securelist.com/en/advisories/50212 Reference: CONFIRM:http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.8.0/ Reference: CONFIRM:http://trac.roundcube.net/ticket/1488519 Reference: SECUNIA:50212 Reference: URL:http://secunia.com/advisories/50212 Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in RoundCube Webmail before 0.8.0, when using the Larry skin, allows remote attackers to inject arbitrary web script or HTML via the email message subject.
Created roundcubemail tracking bugs for this issue Affects: epel-all [bug 851915]
Created roundcubemail tracking bugs for this issue Affects: fedora-all [bug 851917]
As noted in http://sourceforge.net/news/?group_id=139281&id=308917 the new Larry skin has been introduced starting from upstream roundcube 0.8.0 version, therefore as such this issue would not affect the versions of roundcube package, as shipped with Fedora release of 16, 17, and Fedora EPEL 5 and 6.