Summary: | <mail-client/roundcube-0.9.3 - two XSS vulnerabilities with HTML messages and signatures (CVE-2013-5645) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Philippe Chaintreuil <gentoo_bugs_peep> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | mike, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://sourceforge.net/p/roundcubemail/news/2013/08/update-093-released/ | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Philippe Chaintreuil
2013-08-23 12:43:06 UTC
Thanks for the report. CVE-2013-5645 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5645): Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before 0.9.3 allow user-assisted remote attackers to inject arbitrary web script or HTML via the body of a message visited in (1) new or (2) draft mode, related to compose.inc; and (3) might allow remote authenticated users to inject arbitrary web script or HTML via an HTML signature, related to save_identity.inc. Arches, please stabilize: =mail-client/roundcube-0.9.3 amd64 stable arm stable ppc stable x86 stable Closing noglsa for XSS. |