From $URL: rcube_utils.php in Roundcube before 1.1.8 and before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.. https://github.com/roundcube/roundcubemail/releases/tag/1.1.8 https://github.com/roundcube/roundcubemail/releases/tag/1.2.4 https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-released Upstream fix (sequence of two commits): https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305 https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4
@ Arches, please test and mark stable: =mail-client/roundcube-1.2.4
CVE-2017-6820 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6820): rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.
amd64 stable
arm stable.
x86 stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: Yes New GLSA request filed.
(In reply to Thomas Deutschmann from comment #6) > GLSA Vote: Yes > > New GLSA request filed. There are no GLSA's for Cross Site Scripting Maintainer(s), please drop the vulnerable version(s).
(In reply to Yury German from comment #7) > (In reply to Thomas Deutschmann from comment #6) > > GLSA Vote: Yes > > > > New GLSA request filed. > > There are no GLSA's for Cross Site Scripting > Maintainer(s), please drop the vulnerable version(s). Dropped.
Arches and Maintainer(s), Thank you for your work.