Skip to content

Roundcube Webmail 1.5.8

Compare
Choose a tag to compare
@alecpl alecpl released this 04 Aug 11:24
· 969 commits to master since this release
1.5.8

This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

  • Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
  • Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
  • Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

Credits to Oskar Zeino-Mahmalat (Sonar) for all these findings and thanks for providing a very detailed report in a private communication.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!