Headline
CVE-2020-13964: Release Roundcube Webmail 1.3.12 · roundcube/roundcubemail
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.
This is a service and security update to the LTS version 1.3 of Roundcube Webmail.
It contains four fixes for recently reported security vulnerabilities as well a
small number of general improvements backported from the latest stable version.
See the full changelog below.
Security fixes
- Fix XSS issue in template object ‘username’ (#7406)
- Fix cross-site scripting (XSS) via malicious XML attachment
- Fix a couple of XSS issues in Installer (#7406)
- Better fix for CVE-2020-12641
The latter two vulnerabilities again are related to public access to the Roundcube installer
and are therefore classified minor.
This version in considered stable and we recommend to update all productive installations
of Roundcube 1.3.x with it. Please do backup your data before updating!
CHANGELOG
- Security: Better fix for CVE-2020-12641
- Security: Fix XSS issue in template object ‘username’ (#7406)
- Security: Fix couple of XSS issues in Installer (#7406)
- Security: Fix cross-site scripting (XSS) via malicious XML attachment
Related news
Microsoft has disclosed that it's detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard. The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant's threat