======================================================================

                                  CERT-Renater

                      Note d'Information No. 2024/VULN333
_____________________________________________________________________

DATE                : 23/08/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Roundcube versions prior to 
                               1.6.8, 1.5.8.

=====================================================================
https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8
_____________________________________________________________________

Security updates 1.6.8 and 1.5.8 released

Published: 04 August 2024

     Tags: releases updates security
We just published security updates to the 1.6 and 1.5 LTS versions
of Roundcube Webmail. They both contain fixes for recently reported
security vulnerabilities.


Security fixes

     Fix XSS vulnerability in post-processing of sanitized HTML
content [CVE-2024-42009]

     Fix XSS vulnerability in serving of attachments other than HTML
or SVG [CVE-2024-42008]

     Fix information leak (access to remote content) via insufficient
CSS filtering [CVE-2024-42010]


Credits to Oskar Zeino-Mahmalat (Sonar) for all these findings and
thanks for providing a very detailed report in a private
communication.

See the full changelogs in the release notes on the Github download
pages for the updated versions 1.6.8 and 1.5.8.

We strongly recommend to update all productive installations of
Roundcube 1.6.x and 1.5.x with this new versions.



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================