[v3.1] roundcubemail: cross-site scripting (CVE-2015-1433)
program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email.
References:
http://seclists.org/oss-sec/2015/q1/374
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1433
http://roundcube.net/news/2015/01/24/security-update-1.0.5/
http://trac.roundcube.net/wiki/Changelog\#RELEASE1.0.5
http://trac.roundcube.net/ticket/1490227
(from redmine: issue id 3904, created on 2015-02-04, closed on 2015-03-16)
- Relations:
- parent #3900 (closed)
- Changesets:
- Revision ed21a80e by Natanael Copa on 2015-03-11T11:34:25Z:
main/roundcubemail: security upgrade to 1.0.5 (CVE-2015-1433)
fixes #3904