[Svn] [roundcube/roundcubemail] 4312dc: Fix XSS issue in handling of CDATA in HTML messages

Thomas B. noreply at github.com
Tue Apr 28 21:58:51 CEST 2020


  Branch: refs/heads/release-1.2
  Home:   https://github.com/roundcube/roundcubemail
  Commit: 4312dc4efecb9553fcacfab0ab9d9ee6e88477e7
      https://github.com/roundcube/roundcubemail/commit/4312dc4efecb9553fcacfab0ab9d9ee6e88477e7
  Author: Aleksander Machniak <alec at alec.pl>
  Date:   2020-04-28 (Tue, 28 Apr 2020)

  Changed paths:
    M program/lib/Roundcube/rcube_washtml.php

  Log Message:
  -----------
  Fix XSS issue in handling of CDATA in HTML messages


  Commit: 4694620a1e8b05e7b370e9dda58c1124d36fde9b
      https://github.com/roundcube/roundcubemail/commit/4694620a1e8b05e7b370e9dda58c1124d36fde9b
  Author: Aleksander Machniak <alec at alec.pl>
  Date:   2020-04-28 (Tue, 28 Apr 2020)

  Changed paths:
    M program/lib/Roundcube/rcube_image.php

  Log Message:
  -----------
  Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings


  Commit: 33faaed63a0edaebb854b8a1ac5454b181f81ece
      https://github.com/roundcube/roundcubemail/commit/33faaed63a0edaebb854b8a1ac5454b181f81ece
  Author: Aleksander Machniak <alec at alec.pl>
  Date:   2020-04-28 (Tue, 28 Apr 2020)

  Changed paths:
    M program/lib/Roundcube/rcube_plugin_api.php

  Log Message:
  -----------
  Fix local file inclusion (and code execution) via crafted 'plugins' option


  Commit: cceeff2472c00acb2c6b96c9df7a289f1db77713
      https://github.com/roundcube/roundcubemail/commit/cceeff2472c00acb2c6b96c9df7a289f1db77713
  Author: Aleksander Machniak <alec at alec.pl>
  Date:   2020-04-28 (Tue, 28 Apr 2020)

  Changed paths:
    M index.php

  Log Message:
  -----------
  Fix CSRF bypass that could be used to log out an authenticated user (#7302)


  Commit: 1a7b603875bb397ebd2b2e69d5be0b59473f06f4
      https://github.com/roundcube/roundcubemail/commit/1a7b603875bb397ebd2b2e69d5be0b59473f06f4
  Author: Thomas Bruederli <thomas at roundcube.net>
  Date:   2020-04-28 (Tue, 28 Apr 2020)

  Changed paths:
    M CHANGELOG
    M index.php
    M installer/index.php
    M program/include/iniset.php
    M program/lib/Roundcube/bootstrap.php

  Log Message:
  -----------
  Bump version to 1.2.10


Compare: https://github.com/roundcube/roundcubemail/compare/d3f2759a6b8b...1a7b603875bb


More information about the svn mailing list