Headline
CVE-2023-43770: Security update 1.6.3 released
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
Published: 15 September 2023
- Tags:
- releases
- updates
- security
We just published a security update to the version 1.6 of Roundcube Webmail. It provides a fix to a recently reported XSS vulnerability:
- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages, reported by Niraj Shivtarkar.
See the full changelog in the release notes in the release notes on the Github download page.
We strongly recommend to update all productive installations of Roundcube 1.6.x with this new version.
Return to News overview
Related news
Ubuntu Security Notice 6654-1 - It was discovered that Roundcube Webmail incorrectly sanitized characters in the linkrefs text messages. An attacker could possibly use this issue to execute a cross-site scripting attack.
A vulnerability in Roundcube webmail is being actively exploited and CISA is urging users to install an updated version.