CVE-2013-5645

Name of the Vulnerable Software and Affected Versions Roundcube webmail versions prior to 0.9.3

Description The issue allows user-assisted remote attackers to inject arbitrary web script or HTML via the body of a message visited in new or draft mode, related to compose.inc. Additionally, it might allow remote authenticated users to inject arbitrary web script or HTML via an HTML signature, related to save identity.inc.

Recommendations For versions prior to 0.9.3, update to version 0.9.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of HTML signatures and limiting access to compose.inc and save identity.inc until a patch is available. Avoid using the body of a message in new or draft mode with untrusted input until the issue is resolved.