Dear subscribers
We just published security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They all contain a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace. Credits for this finding go to SSD Secure Disclosure [1].
The 1.4.7 release also contains a number of general improvements from our issue tracker. See the full changelog in the release notes on the Github download page [2].
We strongly recommend to update all productive installations of Roundcube with these new versions. Download the latest tarballs from https://roundcube.net/download
Best, Alec & Thomas
[1] https://ssd-disclosure.com/ [2] https://github.com/roundcube/roundcubemail/releases/tag/1.4.7