[Roundcube Announce] Security updates 1.4.8, 1.3.15 and 1.2.12 released

Thomas Bruederli thomas at roundcube.net
Mon Aug 10 21:50:54 CEST 2020

Dear subscribers

We just published security updates to the stable version 1.4 and the LTS
versions 1.3 and 1.2 of Roundcube Webmail.
They all contain two recently reported cross-site scripting (XSS)
vulnerabilities. The 1.4.8 release also contains a number of general
improvements from our issue tracker [1].

Security fixes:
* Fix cross-site scripting (XSS) via HTML messages with malicious svg
content (CVE-2020-16145)
* Fix cross-site scripting (XSS) via HTML messages with malicious math

Credits for these two findings go to Łukasz Pilorz from Pentesters [2].

See the full changelogs in the release notes on the Github download pages
for the updated versions.

We strongly recommend updating all productive installations of Roundcube
with these new versions. Download the latest tarballs from

Alec & Thomas

[1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.8
[2] https://www.pentesters.pl/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.roundcube.net/pipermail/announce/attachments/20200810/cf2b747a/attachment.html>

More information about the announce mailing list