CVE-2009-0413 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0413): Cross-site scripting (XSS) vulnerability in RoundCube Webmail (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary web script or HTML via the background attribute embedded in an HTML e-mail message.
0.2.1 has been released with a LOT of bug fixes... version bump? :) http://sourceforge.net/forum/forum.php?forum_id=927958
Thanks, closing noglsa as it does not have a stable version (wrong whiteboard...).