roundcubemail: cross-site scripting (CVE-2015-1433)
program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email.
References:
http://seclists.org/oss-sec/2015/q1/374
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1433
http://roundcube.net/news/2015/01/24/security-update-1.0.5/
http://trac.roundcube.net/wiki/Changelog\#RELEASE1.0.5
http://trac.roundcube.net/ticket/1490227
(from redmine: issue id 3900, created on 2015-02-04, closed on 2015-03-16)
- Relations:
- child #3901 (closed)
- child #3902 (closed)
- child #3903 (closed)
- child #3904 (closed)