====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN438
_____________________________________________________________________

DATE                : 12/08/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Roundcube Webmail versions prior to
                                  1.4.8, 1.3.15, 1.2.12.

=====================================================================
https://roundcube.net/news/2020/08/10/security-updates-1.4.8-1.3.15-and-1.2.12
_____________________________________________________________________

Security updates 1.4.8, 1.3.15 and 1.2.12 released



10 August 2020

We just published security updates to the stable version 1.4 and the LTS
versions 1.3 and 1.2 of Roundcube Webmail. They all contain two recently
reported cross-site scripting (XSS) vulnerabilities. The 1.4.8 release
also contains a number of general improvements from our issue tracker.


Security fixes

    Fix cross-site scripting (XSS) via HTML messages with malicious svg
content (CVE-2020-16145)

    Fix cross-site scripting (XSS) via HTML messages with malicious math
content


Credits for these two findings go to Łukasz Pilorz from Pentesters.

See the full changelogs in the release notes on the Github download
pages for the updated versions 1.4.8, 1.3.15 and 1.2.12.

We strongly recommend to update all productive installations of
Roundcube with this new versions.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================