Security updates 1.6.16 and 1.7.1 released
We just published security updates to the 1.6 LTS and 1.7 versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities.
Security fixes
We just published security updates to the 1.6 LTS and 1.7 versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities.
Security fixes
- Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
- Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
- Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
- Fix SSRF bypass via specific local address URLs
- Fix local/private URL fetch bypass when remote resources were not allowed
- Fix bypass of remote image blocking via CSS var()
- Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
- Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option