Dear subscribers
We just published security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They all contain two recently reported cross-site scripting (XSS) vulnerabilities. The 1.4.8 release also contains a number of general improvements from our issue tracker [1].
Security fixes:
content (CVE-2020-16145)
content
Credits for these two findings go to Łukasz Pilorz from Pentesters [2].
See the full changelogs in the release notes on the Github download pages for the updated versions.
We strongly recommend updating all productive installations of Roundcube with these new versions. Download the latest tarballs from https://roundcube.net/download
Best, Alec & Thomas
[1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.8 [2] https://www.pentesters.pl/