Rene Rehme discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly set headers when handling attachments. This would allow an attacker to load arbitrary JavaScript code. For the oldstable distribution (bullseye), this problem has been fixed in version 1.4.15+dfsg.1-1~deb11u2. For the stable distribution (bookworm), this problem has been fixed in version 1.6.5+dfsg-1~deb12u1. We recommend that you upgrade your roundcube packages. For the detailed security status of roundcube please refer to its security tracker page at: https://security-tracker.debian.org/tracker/roundcube
Rene Rehme discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly set headers when handling attachments. This would allow an attacker to load arbitrary JavaScript code.
For the oldstable distribution (bullseye), this problem has been fixed in version 1.4.15+dfsg.1-1~deb11u2.
For the stable distribution (bookworm), this problem has been fixed in version 1.6.5+dfsg-1~deb12u1.
We recommend that you upgrade your roundcube packages.
For the detailed security status of roundcube please refer to its security tracker page at: https://security-tracker.debian.org/tracker/roundcube