Bugzilla – Bug 1173792
VUL-0: CVE-2020-15562: XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns
Last modified: 2020-09-24 16:22:52 UTC
CVE-2020-15562 An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15562 https://github.com/roundcube/roundcubemail/releases/tag/1.4.7 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15562 https://github.com/roundcube/roundcubemail/commit/3e8832d029b035e3fcfb4c75839567a9580b4f82 https://github.com/roundcube/roundcubemail/releases/tag/1.2.11 https://github.com/roundcube/roundcubemail/releases/tag/1.3.14
This is an autogenerated message for OBS integration: This bug (1173792) was mentioned in https://build.opensuse.org/request/show/826139 15.1+15.2+Backports:SLE-15-SP1+Backports:SLE-15-SP2 / roundcubemail
Update released
openSUSE-SU-2020:1516-1: An update that solves 6 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1115718,1115719,1146286,1171040,1171148,1171149,1173792,1175135 CVE References: CVE-2019-10740,CVE-2020-12625,CVE-2020-12640,CVE-2020-12641,CVE-2020-15562,CVE-2020-16145 JIRA References: Sources used: openSUSE Leap 15.2 (src): roundcubemail-1.3.15-lp152.4.3.1 openSUSE Leap 15.1 (src): roundcubemail-1.3.15-lp151.3.3.1 openSUSE Backports SLE-15-SP2 (src): roundcubemail-1.3.15-bp152.4.3.1 openSUSE Backports SLE-15-SP1 (src): roundcubemail-1.3.15-bp151.4.3.1