Bug 1215433

Summary: VUL-0: roundcubemail: cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Aeneas Jaißle <aj>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, cathy.hu, lars.vogdt
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2023-09-18 09:36:16 UTC 
https://roundcube.net/news/2023/09/15/security-update-1.6.3-released

Security update 1.6.3 released

Published: 15 September 2023

    Tags: releases updates security 

We just published a security update to the version 1.6 of Roundcube Webmail. It provides a fix to a recently reported XSS vulnerability:

    Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages, reported by Niraj Shivtarkar.

See the full changelog in the release notes in the release notes on the Github download page.

We strongly recommend to update all productive installations of Roundcube 1.6.x with this new version.


This also affects older roundcubemail code-streams:
https://roundcube.net/news/2023/09/18/security-update-1.5.4-released
https://roundcube.net/news/2023/09/18/security-update-1.4.14-released
Comment 2 OBSbugzilla Bot 2023-09-21 08:35:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1215433) was mentioned in
https://build.opensuse.org/request/show/1112688 Backports:SLE-15-SP3 / roundcubemail
https://build.opensuse.org/request/show/1112689 Backports:SLE-15-SP4 / roundcubemail
https://build.opensuse.org/request/show/1112690 Backports:SLE-15-SP5 / roundcubemail
https://build.opensuse.org/request/show/1112691 Backports:SLE-15-SP6 / roundcubemail
Comment 3 Lars Vogdt 2023-09-22 13:15:31 UTC 
*** Bug 1215609 has been marked as a duplicate of this bug. ***
Comment 4 Marcus Meissner 2023-10-02 13:09:21 UTC 
openSUSE-RU-2023:0283-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1215433
CVE References: 
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    roundcubemail-1.5.4-bp154.2.6.1
Comment 5 Marcus Meissner 2023-10-02 13:11:31 UTC 
openSUSE-SU-2023:0285-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1215433
CVE References: 
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    roundcubemail-1.6.3-bp155.2.3.1
Comment 6 Marcus Meissner 2024-02-13 08:02:50 UTC 
done