Mateusz Szymaniec

**Name of the Vulnerable Software and Affected Versions** Request Tracker versions 5.0.4 through 5.0.8 Request Tracker versions 6.0.0 through 6.0.1 **Description** The Request Tracker software contains a Stored Cross-Site Scripting (XSS) issue within the calendar invitation parsing feature. The software displays invitation data without proper HTML sanitization, allowing an attacker to execute JavaScript code by sending a crafted email. This execution occurs when a logged-in user views the ticket. The `calendar invitation parsing feature` is the component affected. **Recommendations** Request Tracker versions 5.0.4 through 5.0.8 should be updated. Request Tracker versions 6.0.0 through 6.0.1 should be updated.

Name of the Vulnerable Software and Affected Versions: Roundcube versions prior to 1.4.11 Description: The issue allows for an XSS attack through crafted Cascading Style Sheets (CSS) token sequences during the rendering of HTML email. This can occur when an attacker sends a specially designed email that exploits this weakness. Recommendations: For versions prior to 1.4.11, update to version 1.4.11 or later to resolve the issue. As a temporary workaround, consider restricting the rendering of HTML emails or disabling the use of CSS in emails until a patch is applied. Avoid using potentially vulnerable CSS token sequences in email templates until the issue is resolved.