It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize HTML messages. This would allow an attacker to load arbitrary JavaScript code. For the oldstable distribution (bullseye), this problem has been fixed in version 1.4.15+dfsg.1-1~deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 1.6.4+dfsg-1~deb12u1. We recommend that you upgrade your roundcube packages. For the detailed security status of roundcube please refer to its security tracker page at: https://security-tracker.debian.org/tracker/roundcube
It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize HTML messages. This would allow an attacker to load arbitrary JavaScript code.
For the oldstable distribution (bullseye), this problem has been fixed in version 1.4.15+dfsg.1-1~deb11u1.
For the stable distribution (bookworm), this problem has been fixed in version 1.6.4+dfsg-1~deb12u1.
We recommend that you upgrade your roundcube packages.
For the detailed security status of roundcube please refer to its security tracker page at: https://security-tracker.debian.org/tracker/roundcube