Guilhem Moulin

**Name of the Vulnerable Software and Affected Versions** roundcube versions prior to 1.3.17 roundcube versions 1.4.x prior to 1.4.12 **Description** The issue is related to roundcube, a skinnable AJAX based webmail solution for IMAP servers, which did not properly sanitize requests and mail messages. This would allow an attacker to perform Cross-Side Scripting (XSS) or SQL injection attacks via the `search` or `search params` parameters. **Recommendations** For versions prior to 1.3.17, upgrade to version 1.3.17 or later. For versions 1.4.x prior to 1.4.12, upgrade to version 1.4.12 or later. As a temporary workaround, consider restricting access to the vulnerable `search` and `search params` parameters until a patch is available.