Headline
CVE-2021-44026: #1000156 - roundcube: XSS vulnerability in handling attachment filename extension in MIME type mismatch warnings
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
Reported by: Guilhem Moulin [email protected]
Date: Thu, 18 Nov 2021 18:27:01 UTC
Severity: important
Tags: security
Found in versions roundcube/1.4.11+dfsg.1-4, roundcube/1.3.16+dfsg.1-1~deb10u1
Fixed in version roundcube/1.5.0+dfsg.1-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded to [email protected], Debian Roundcube Maintainers <[email protected]>:
Bug#1000156; Package src:roundcube. (Thu, 18 Nov 2021 18:27:03 GMT) (full text, mbox, link).
Acknowledgement sent to Guilhem Moulin <[email protected]>:
New Bug report received and forwarded. Copy sent to Debian Roundcube Maintainers <[email protected]>. (Thu, 18 Nov 2021 18:27:03 GMT) (full text, mbox, link).
Message #5 received at [email protected] (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: roundcube Severity: important Tags: security Control: found -1 1.3.16+dfsg.1-1~deb10u1 Control: found -1 1.4.11+dfsg.1-4 Control: fixed -1 1.5.0+dfsg.1-1
In a recent post roundcube webmail upstream has announced the following security fixes:
* Fix XSS issue in handling attachment filename extension in mimetype mismatch warning * Fix possible SQL injection via some session variables
sid/bookworm’s 1.5.0+dfsg.1-2 is not affected. Upstream fixes for LTS branches:
1.4.x https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a
https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1
1.3.x https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7
https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa
– Guilhem.
[0] https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-released
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions roundcube/1.3.16+dfsg.1-1~deb10u1. Request was from Guilhem Moulin <[email protected]> to [email protected]. (Thu, 18 Nov 2021 18:27:03 GMT) (full text, mbox, link).
Marked as found in versions roundcube/1.4.11+dfsg.1-4. Request was from Guilhem Moulin <[email protected]> to [email protected]. (Thu, 18 Nov 2021 18:27:04 GMT) (full text, mbox, link).
Marked as fixed in versions roundcube/1.5.0+dfsg.1-1. Request was from Guilhem Moulin <[email protected]> to [email protected]. (Thu, 18 Nov 2021 18:27:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <[email protected]>. Last modified: Fri Nov 19 04:30:08 2021; Machine Name: bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.