Alecpl

**Name of the Vulnerable Software and Affected Versions** Roundcube Webmail versions 1.6.0 through 1.6.15 Roundcube Webmail versions 1.7.0 through 1.7.0 **Description** The remote image blocking feature can be bypassed using a crafted CSS `var()` value within an e-mail message. This bypass may result in access-control bypass or information disclosure. **Recommendations** Update versions 1.6.x to 1.6.16. Update versions 1.7.x to 1.7.1.

**Name of the Vulnerable Software and Affected Versions** Roundcube versions 1.4.13 and earlier, 1.5.x before 1.5.2 **Description** The issue allows for cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences in HTML e-mail messages. This can enable a remote attacker to conduct cross-site scripting attacks by sending a specially crafted email message. The vulnerability is related to the lack of protection measures for the web page structure when processing CSS styles. **Recommendations** For versions 1.4.13 and earlier, update to version 1.4.13 or later. For versions 1.5.x before 1.5.2, update to version 1.5.2 or later. As a temporary workaround, consider restricting the processing of CSS styles in HTML email messages until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Roundcube Webmail versions prior to 1.4.4 **Description** The issue is related to a cross-site scripting (XSS) vulnerability in the rcube washtml.php file of Roundcube Webmail. This vulnerability occurs because JavaScript code can be present in the CDATA of an HTML message, allowing for potential exploitation. The vulnerability may allow a remote attacker to impact data integrity. **Recommendations** For versions prior to 1.4.4, update to version 1.4.4 or later to resolve the issue. As a temporary workaround, consider disabling the `rcube washtml.php` file until a patch is available. Restrict access to the vulnerable `rcube washtml.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Roundcube versions prior to 1.1.8 Roundcube versions 1.2.x prior to 1.2.4 **Description** The issue allows for a cross-site scripting attack via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element in the rcube utils.php file. **Recommendations** For versions prior to 1.1.8, update to version 1.1.8 or later. For versions 1.2.x prior to 1.2.4, update to version 1.2.4 or later.

**Name of the Vulnerable Software and Affected Versions** Roundcube Webmail version 0.8.0 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email. This occurs in the program/lib/washtml.php file. **Recommendations** For Roundcube Webmail version 0.8.0, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting the use of HTML-formatted emails to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Roundcube Webmail version 0.8.1 and earlier **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This allows remote attackers to inject arbitrary web script or HTML, specifically via the signature in an email. **Recommendations** For Roundcube Webmail version 0.8.1 and earlier, update to a version later than 0.8.1 to resolve the issue.