RoundCube Webmail is a browser-based, multilingual IMAP client. Its extensive feature set includes MIME support, address books, folder manipulation, message searching, spell checking, and more.
A cross-site scripting (XSS) vulnerability tracked as CVE-2023-43770 in Roundcube has been found, which might result in information leakage through malicious link references in plain/text communications.
Roundcube Webmail 1.6.3 is now available. It offers a patch for a recently discovered XSS vulnerability reported by Niraj Shivtarkar.
“We just published a security update to version 1.6 of Roundcube Webmail. According to the release notes, it provides a fix to a recently reported XSS vulnerability”.
Among other features, Roundcube Webmail supports internationalized domain names, shared folders and namespaces, and SMTP delivery status notifications. Also, the IMAP folders’ user interface has been changed to allow more space for extensions and plug-ins.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Changelog For Version 1.6.3
- Fix bug where installto.sh/update.sh scripts were removing some essential options from the config file (#9051)
- Update jQuery-UI to version 1.13.2 (#9041)
- Fix regression that broke use_secure_urls feature (#9052)
- Fix potential PHP fatal error when opening a message with message/rfc822 part (#8953)
- Fix bug where a duplicate <title> tag in HTML email could cause some parts to be cut off (#9029)
- Fix bug where a list of folders could have been sorted incorrectly (#9057)
- Fix regression where LDAP addressbook ‘filter’ option was ignored (#9061)
- Fix wrong order of a multi-folder search result when sorting by size (#9065)
- Fix so install/update scripts do not require PEAR (#9037)
- Fix regression where some mail parts could have been decoded incorrectly, or not at all (#9096)
- Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to non-binary FETCH (#9097)
- Fix PHP8 deprecation warning in the reconnect plugin (#9083)
- Fix “Show source” on mobile with x_frame_options = deny (#9084)
- Fix various PHP warnings (#9098)
- Fix deprecated use of ldap_connect() in password’s ldap_simple driver (#9060)
- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
The remote Debian 10 host has packages installed that are affected by this vulnerability.
Roundcube Webmail 1.6.3 is considered stable and it is recommended to update all productive installations of Roundcube 1.6.x with it.
For Debian 10 buster, this problem has been fixed in version 1.3.17+dfsg.1-1~deb10u3.
Hence, it is recommended that you upgrade your roundcube packages.