[Svn] [roundcube/roundcubemail] 87e4cd: Fix XSS issue in handling of CDATA in HTML messages

Aleksander Machniak noreply at github.com
Sun Apr 26 08:05:12 CEST 2020


  Branch: refs/heads/master
  Home:   https://github.com/roundcube/roundcubemail
  Commit: 87e4cd0cf2c550e77586860b94e5c75d2b7686d0
      https://github.com/roundcube/roundcubemail/commit/87e4cd0cf2c550e77586860b94e5c75d2b7686d0
  Author: Aleksander Machniak <alec at alec.pl>
  Date:   2020-04-26 (Sun, 26 Apr 2020)

  Changed paths:
    M CHANGELOG
    M program/lib/Roundcube/rcube_washtml.php
    M tests/Framework/Washtml.php

  Log Message:
  -----------
  Fix XSS issue in handling of CDATA in HTML messages


  Commit: 4951d6603a1932235f619f04356d0d135f23a3f0
      https://github.com/roundcube/roundcubemail/commit/4951d6603a1932235f619f04356d0d135f23a3f0
  Author: Aleksander Machniak <alec at alec.pl>
  Date:   2020-04-26 (Sun, 26 Apr 2020)

  Changed paths:
    M CHANGELOG
    M program/lib/Roundcube/rcube_image.php

  Log Message:
  -----------
  Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings


  Commit: 219e353ac1fff08e572bc108d96e06c58273a2d7
      https://github.com/roundcube/roundcubemail/commit/219e353ac1fff08e572bc108d96e06c58273a2d7
  Author: Aleksander Machniak <alec at alec.pl>
  Date:   2020-04-26 (Sun, 26 Apr 2020)

  Changed paths:
    M CHANGELOG
    M program/lib/Roundcube/rcube_plugin_api.php

  Log Message:
  -----------
  Fix local file inclusion (and code execution) via crafted 'plugins' option


  Commit: 8344f07d7f88b374d1ee72d9c97520ec4c7b231a
      https://github.com/roundcube/roundcubemail/commit/8344f07d7f88b374d1ee72d9c97520ec4c7b231a
  Author: Aleksander Machniak <alec at alec.pl>
  Date:   2020-04-26 (Sun, 26 Apr 2020)

  Changed paths:
    M CHANGELOG
    M index.php

  Log Message:
  -----------
  Fix CSRF bypass that could be used to log out an authenticated user (#7302)


Compare: https://github.com/roundcube/roundcubemail/compare/6b5fc8db95b1...8344f07d7f88


More information about the svn mailing list