Skip to content

Roundcube Webmail 1.5.8
Compare
Choose a tag to compare
@alecpl alecpl released this 04 Aug 11:24
· 888 commits to master since this release
1.5.8
This tag was signed with the committer’s verified signature.
alecpl Aleksander Machniak
GPG key ID: BEE674A019359DC1
Learn about vigilant mode.
ed98839

This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

  • Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
  • Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
  • Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

Credits to Oskar Zeino-Mahmalat (Sonar) for all these findings and thanks for providing a very detailed report in a private communication.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!

Assets 8
Loading