An XSS vulnerability in roundcubemail was found when drag-n-dropping a file with crafted filename, e.g. '><img src=x onerror=alert(1);>. Upstream bug: http://trac.roundcube.net/ticket/1490530 Upstream patch: http://trac.roundcube.net/changeset/dd7db2179/github
Created roundcubemail tracking bugs for this issue: Affects: fedora-all [bug 1276391] Affects: epel-all [bug 1276392]