Headline
CVE-2018-19206: Update 1.3.8 released
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
Published: 26 October 2018
- Tags:
- releases
- updates
- security
We proudly announce the next service release to update the stable version 1.3.
It contains fixes to several bugs backported from the master branch including a security fix for a reported XSS vulnerability plus updates to ensure compatibility with PHP 7.3 and recent versions of Courier-IMAP, Dovecot and MySQL 8.
This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from roundcube.net.