====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN083
_____________________________________________________________________

DATE                : 09/02/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Roundcube Webmail versions prior
                                        to 1.4.11.

=====================================================================
https://roundcube.net/news/2021/02/08/security-update-1.4.11
https://roundcube.net/news/2020/12/27/security-updates-1.4.10-1.3.16-and-1.2.13
_____________________________________________________________________

Security update 1.4.11

08 February 2021

We just published a service and security update to the stable version
1.4 of Roundcube Webmail. It provides a fix for a recently reported
stored XSS vulnerability as well a some general improvements from our
issue tracker.


Security fix

    Fix cross-site scripting (XSS) via HTML messages with malicious CSS
content


Credits for this finding go to Mateusz Szymaniec (CERT Polska).

See the full changelog in the release notes on the Github download page.

This release is considered stable and we recommend to update all
productive installations of Roundcube with this version. Download it
from roundcube.net.


Please do backup your data before updating!

_____________________________________________________________________

Security updates 1.4.10, 1.3.16 and 1.2.13 released

27 December 2020


We just published security updates to the stable version 1.4 and the LTS
versions 1.3 and 1.2 of Roundcube Webmail. They all contain fixes to a
recently reported stored XSS vulnerability. The 1.4.10 release also
contains a few general improvements from our issue tracker.


Security fix

    Stored cross-site scripting (XSS) via HTML or plain text messages
with malicious content


Credits for this finding go to Alex Birnberg.

See the full changelogs in the release notes on the Github download
pages for the updated versions 1.4.10, 1.3.16 and 1.2.13.

We strongly recommend to update all productive installations of
Roundcube with these new versions.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================