[Svn] [roundcube/roundcubemail] 23c061: Fix XSS issue in handling of CDATA in HTML messages

Thomas B. noreply at github.com
Sun Apr 26 22:18:18 CEST 2020


  Branch: refs/heads/release-1.3
  Home:   https://github.com/roundcube/roundcubemail
  Commit: 23c06159ae8c6f500336e3075820e648aa6f40a4
      https://github.com/roundcube/roundcubemail/commit/23c06159ae8c6f500336e3075820e648aa6f40a4
  Author: Aleksander Machniak <alec at alec.pl>
  Date:   2020-04-26 (Sun, 26 Apr 2020)

  Changed paths:
    M program/lib/Roundcube/rcube_washtml.php

  Log Message:
  -----------
  Fix XSS issue in handling of CDATA in HTML messages


  Commit: 47f431b1d69354d5e3843087ef3c62a3ab09e880
      https://github.com/roundcube/roundcubemail/commit/47f431b1d69354d5e3843087ef3c62a3ab09e880
  Author: Aleksander Machniak <alec at alec.pl>
  Date:   2020-04-26 (Sun, 26 Apr 2020)

  Changed paths:
    M program/lib/Roundcube/rcube_image.php

  Log Message:
  -----------
  Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings


  Commit: c0eea755cf10375a2bdd26a42c5576b7584ae791
      https://github.com/roundcube/roundcubemail/commit/c0eea755cf10375a2bdd26a42c5576b7584ae791
  Author: Aleksander Machniak <alec at alec.pl>
  Date:   2020-04-26 (Sun, 26 Apr 2020)

  Changed paths:
    M program/lib/Roundcube/rcube_plugin_api.php

  Log Message:
  -----------
  Fix local file inclusion (and code execution) via crafted 'plugins' option


  Commit: 1e7bec9cb868fa32b05acf6b0a557a6311350c56
      https://github.com/roundcube/roundcubemail/commit/1e7bec9cb868fa32b05acf6b0a557a6311350c56
  Author: Aleksander Machniak <alec at alec.pl>
  Date:   2020-04-26 (Sun, 26 Apr 2020)

  Changed paths:
    M index.php

  Log Message:
  -----------
  Fix CSRF bypass that could be used to log out an authenticated user (#7302)


  Commit: fe0d97e5e0ce5e312bdf7c583cd2f7e4f2f457cf
      https://github.com/roundcube/roundcubemail/commit/fe0d97e5e0ce5e312bdf7c583cd2f7e4f2f457cf
  Author: Thomas Bruederli <thomas at roundcube.net>
  Date:   2020-04-26 (Sun, 26 Apr 2020)

  Changed paths:
    M CHANGELOG
    M index.php
    M installer/index.php
    M program/include/iniset.php
    M program/lib/Roundcube/bootstrap.php
    M public_html/index.php

  Log Message:
  -----------
  Bump version to 1.3.11


Compare: https://github.com/roundcube/roundcubemail/compare/25c48615426f...fe0d97e5e0ce


More information about the svn mailing list