[Svn] [roundcube/roundcubemail] 1c239c: Fix XSS issue in handling of CDATA in HTML messages

Aleksander Machniak noreply at github.com
Sun Apr 26 08:06:14 CEST 2020


  Branch: refs/heads/release-1.4
  Home:   https://github.com/roundcube/roundcubemail
  Commit: 1c239c90d9b9b88fe551f20e22565fec74c29063
      https://github.com/roundcube/roundcubemail/commit/1c239c90d9b9b88fe551f20e22565fec74c29063
  Author: Aleksander Machniak <alec at alec.pl>
  Date:   2020-04-26 (Sun, 26 Apr 2020)

  Changed paths:
    M CHANGELOG
    M program/lib/Roundcube/rcube_washtml.php
    M tests/Framework/Washtml.php

  Log Message:
  -----------
  Fix XSS issue in handling of CDATA in HTML messages


  Commit: fcfb099477f353373c34c8a65c9035b06b364db3
      https://github.com/roundcube/roundcubemail/commit/fcfb099477f353373c34c8a65c9035b06b364db3
  Author: Aleksander Machniak <alec at alec.pl>
  Date:   2020-04-26 (Sun, 26 Apr 2020)

  Changed paths:
    M CHANGELOG
    M program/lib/Roundcube/rcube_image.php

  Log Message:
  -----------
  Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings


  Commit: 814eadb699e8576ce3a78f21e95bf69a7c7b3794
      https://github.com/roundcube/roundcubemail/commit/814eadb699e8576ce3a78f21e95bf69a7c7b3794
  Author: Aleksander Machniak <alec at alec.pl>
  Date:   2020-04-26 (Sun, 26 Apr 2020)

  Changed paths:
    M CHANGELOG
    M program/lib/Roundcube/rcube_plugin_api.php

  Log Message:
  -----------
  Fix local file inclusion (and code execution) via crafted 'plugins' option


  Commit: 9bbda422ff0b782b81de59c86994f1a5fd93f8e6
      https://github.com/roundcube/roundcubemail/commit/9bbda422ff0b782b81de59c86994f1a5fd93f8e6
  Author: Aleksander Machniak <alec at alec.pl>
  Date:   2020-04-26 (Sun, 26 Apr 2020)

  Changed paths:
    M CHANGELOG
    M index.php

  Log Message:
  -----------
  Fix CSRF bypass that could be used to log out an authenticated user (#7302)


Compare: https://github.com/roundcube/roundcubemail/compare/301670f081e6...9bbda422ff0b


More information about the svn mailing list