Skip to content
Choose a tag to compare

[Security Update] Roundcube Webmail 1.3.11

@thomascube thomascube released this
· 3292 commits to master since this release
Choose a tag to compare

This is a service and security update to the LTS version 1.3 of Roundcube Webmail.
It contains four fixes for recently reported security vulnerabilities as well a
small number of general improvements backported from the latest stable version.
See the full changelog below.

Security fixes

  • Cross-Site Scripting (XSS) via malicious HTML content
  • CSRF attack can cause an authenticated user to be logged out
  • Remote code execution via crafted config options
  • Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

The latter two vulnerabilities are classified minor because they only affect Roundcube installations
with public access to the Roundcube installer. That's generally a high-risk situation and is expected
to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done
in core in order to also prevent from future and yet unknown attack vectors.

This version in considered stable and we recommend to update all productive installations
of Roundcube 1.3.x with it. Please do backup your data before updating!


  • Enigma: Fix compatibility with Mail_Mime >= 1.10.5
  • Fix permissions on some folders created by bin/ script (#6930)
  • Fix bug where inline images could have been ignored if Content-Id header contained redundant spaces (#6980)
  • Fix PHP Warning: Use of undefined constant LOG_EMERGE (#6991)
  • Fix PHP warning: "array_merge(): Expected parameter 2 to be an array, null given in (#7003)
  • Security: Fix XSS issue in handling of CDATA in HTML messages
  • Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
  • Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
  • Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)