CVE-2015-8105

Name of the Vulnerable Software and Affected Versions RoundCube Webmail versions prior to 1.0.7 RoundCube Webmail versions 1.1.x prior to 1.1.3

Description The issue exists due to a lack of protection for the web page structure in the RoundCube Webmail component program/js/app.js. This allows a remote attacker to perform cross-site scripting via a specially crafted file name during a drag-n-drop file upload.

Recommendations For versions prior to 1.0.7, update to version 1.0.7 or later. For versions 1.1.x prior to 1.1.3, update to version 1.1.3 or later. As a temporary workaround, consider restricting access to the program/js/app.js component until a patch is available. Avoid using the file name parameter in the affected drag-n-drop file upload functionality until the issue is resolved.