Bug URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079 --- Source: roundcube Version: 1.6.3+dfsg-2 Severity: important Tags: security upstream Control: found -1 1.3.17+dfsg.1-1~deb10u3 Control: found -1 1.4.14+dfsg.1-1~deb11u1 Control: found -1 1.6.3+dfsg-1~deb12u1 Control: forwarded -1 https://github.com/roundcube/roundcubemail/issues/9168 In a recent post roundcube webmail upstream has announced the following security fix: * Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages. AFAICT no CVE ID has been assigned or requested yet, so I'll file a request to that effect. Upstream fixes for stable and LTS branches: 1.6.x https://github.com/roundcube/roundcubemail/commit/41756cc3331b495= cc0b71886984474dc529dd31d 1.4.x https://github.com/roundcube/roundcubemail/commit/7b2df52ede57bab= 9e87e9c3bc00601eeca591a5e https://github.com/roundcube/roundcubemail/commit/dc7b6850c688705= 70b438d79c0949a5031522127 1.3.x is no longer supported upstream but AFAICT affected nonetheless.
Created roundcubemail tracking bugs for this issue: Affects: fedora-all [bug 2244536]
Added CVSS, CWE, and CVE.