Summary: | <mail-client/roundcube-1.0.5: Possible CSRF attacks to some address book operations as well as to the ACL and Managesieve plugins (CVE-2014-9587,CVE-2015-1433) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Philippe Chaintreuil <gentoo_bugs_peep> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://roundcube.net/news/2014/12/18/update-1.0.4-released/ | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Philippe Chaintreuil
2015-01-05 12:52:54 UTC
CVE-2014-9587 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9587): Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins. Maintainers, please add arches when =mail-client/roundcube-1.0.4 is ready for stabilization. (In reply to Sean Amoss from comment #2) > Maintainers, please add arches when =mail-client/roundcube-1.0.4 is ready > for stabilization. I'd say you'd want to stabilize 1.0.5 now instead, go ahead with that. Arches, please test and mark stable: =mail-client/roundcube-1.0.5 Target Keywords : "amd64 arm ppc x86" Thank you! amd64 stable arm stable CVE-2015-1433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1433): program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email. x86 stable ppc stable. Maintainer(s), please cleanup. Security, please vote. Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No Arches and Maintainer(s), Thank you for your work. GLSA vote: no. Closing as [noglsa] |