Dear subscribers,

We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities.

• Fix XSS vulnerability in post-processing of sanitized HTML content

[CVE-2024-42009]

• Fix XSS vulnerability in serving of attachments other than HTML or SVG

[CVE-2024-42008]

• Fix information leak (access to remote content) via insufficient CSS

filtering [CVE-2024-42010]

Credits to Oskar Zeino-Mahmalat (Sonar) for all these findings and thanks for providing a very detailed report in a private communication.

See the full changelogs in the release notes on the Github download pages for the updated versions 1.6.8 and 1.5.8.

https://github.com/roundcube/roundcubemail/releases/tag/1.6.8 https://github.com/roundcube/roundcubemail/releases/tag/1.5.8

We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions.

Kind regards, Alec