A cross-site scripting (XSS) flaws were round in the way Round Cube Webmail, a browser-based multilingual IMAP client, performed sanitization of 'data' and 'vbscript' URLs. A remote attacker could provide a specially-crafted URL that, when opened would lead to arbitrary JavaScript, VisualBasic script or HTML code execution in the context of Round Cube Webmail's user session. Upstream ticket: [1] http://trac.roundcube.net/ticket/1488850 Further details: [2] http://trac.roundcube.net/attachment/ticket/1488850/RoundCube2XSS.pdf Upstream patch: [3] https://github.com/roundcube/roundcubemail/commit/74cd0a9b62f11bc07c5a1d3ba0098b54883eb0ba References: [4] http://sourceforge.net/news/?group_id=139281&id=310213 [5] http://www.openwall.com/lists/oss-security/2013/02/07/11 [6] http://www.openwall.com/lists/oss-security/2013/02/08/1
This issue affects the versions of the roundcubemail, as shipped with Fedora release of 16, 17, and 18. Please schedule an update. -- This issue affects the version of the roundcubemail, as shipped with Fedora EPEL 6. Please schedule an update.
This issue did NOT affect the version of the roundcubemail package, as shipped with Fedora EPEL 5.
Created roundcubemail tracking bugs for this issue Affects: fedora-all [bug 909304] Affects: epel-6 [bug 909306]