Headline
Debian Security Advisory 5714-1
CrowdStrike discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not correctly process and sanitize requests. This would allow an attacker to perform Cross-Side Scripting (XSS) attacks.
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5714-1 [email protected]://www.debian.org/security/ Sebastien DelafondJune 18, 2024 https://www.debian.org/security/faq- -------------------------------------------------------------------------Package : roundcubeCVE ID : CVE-2024-37383 CVE-2024-37384Debian Bug : 1071474Huy Nguyễn Phạm Nhật, and Valentin T. and Lutz Wolf of CrowdStrike,discovered that roundcube, a skinnable AJAX based webmail solution forIMAP servers, did not correctly process and sanitize requests. Thiswould allow an attacker to perform Cross-Side Scripting (XSS) attacks.For the oldstable distribution (bullseye), these problems have been fixedin version 1.4.15+dfsg.1-1+deb11u3.For the stable distribution (bookworm), these problems have been fixed inversion 1.6.5+dfsg-1+deb12u2.We recommend that you upgrade your roundcube packages.For the detailed security status of roundcube please refer toits security tracker page at:https://security-tracker.debian.org/tracker/roundcubeFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: [email protected] PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmZxxS4ACgkQEL6Jg/PVnWSmBAgAlHkpKAMLQuMJh79XHBJD38gMRshGMgxGMmbD38uZBRGhxniE8CSP3Xc2h/92qvSVcNJrjS8H0wPlkhKEV75NoNoofoDVb/Uoa1GcAShVb0pzBDzmBA1hbbdzCHfpGUnu8ghkzh1bBgX/zAwqScXcAGSn1/s4bknhPgEriRvfcAjN7o4S4lFOExSLL+RlqxWfHFNiQt6788BpgnfGZ3OWgAEWoEJdH7wr6/YdH5u/Fne6/1gD2HO3zYHVF4OzuVVkX6fTf+kHH74oGOSz7qtqW7HiriGY6+7j+7i+vSk95aWuxhPrPaGD3yVI02WjtokupJJKmgGVUf3CgNJCMEzCqg===rv9C-----END PGP SIGNATURE-----
Related news
Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials. Russian cybersecurity company Positive Technologies said it discovered last month that an email was sent to an unspecified governmental organization located in one of the Commonwealth of
Ubuntu Security Notice 6848-1 - Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly handled certain SVG images. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. Rene Rehme discovered that Roundcube incorrectly handled certain headers. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10.