=====================================================================

                                CERT-Renater

                      Note d'Information No. 2023/VULN458

_____________________________________________________________________

DATE                : 08/11/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Roundcube Webmail versions prior
                                      to 1.6.5, 1.5.6.

=====================================================================
https://roundcube.net/news/2023/11/05/security-updates-1.6.5-and-1.5.6
_____________________________________________________________________

Security updates 1.6.5 and 1.5.6 released

Published: 05 November 2023

     Tags: releases updates security
We just published security updates to the 1.6 and 1.5 LTS versions
of Roundcube Webmail. They all contain a fix for recently reported
security vulnerability.


Security fix

Fix cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment preview/download.
Credits for this finding go to Rene Rehme (rehme.infosec).

See the full changelogs in the release notes on the Github download
pages for the updated versions 1.6.5 and 1.5.6.

We strongly recommend to update all productive installations of
Roundcube 1.6.x and 1.5.x with this new versions.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================