Nullcathedral

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions prior to 1.5.14 and prior to 1.6.14 Description A flaw exists in Roundcube Webmail that may allow for IMAP injection or CSRF bypass during mail search due to unsanitized IMAP SEARCH command arguments. Recommendations Update Roundcube Webmail to version 1.5.14 or later. Update Roundcube Webmail to version 1.6.14 or later.

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions prior to 1.5.14 and prior to 1.6.14 Description A flaw exists in Roundcube Webmail that allows bypassing the remote image blocking feature. This bypass is achieved through specially crafted SVG content, specifically utilizing animate attributes within an email message. Successful exploitation could lead to information disclosure or access-control bypass. Recommendations Update Roundcube Webmail to version 1.5.14 or later. Update Roundcube Webmail to version 1.6.14 or later.

**Name of the Vulnerable Software and Affected Versions** Roundcube Webmail versions prior to 1.5.13 Roundcube Webmail versions prior to 1.6.13 **Description** The webmail application allows for Cascading Style Sheets (CSS) injection due to improper handling of comments. This can potentially lead to modifications of the webmail interface. **Recommendations** Update Roundcube Webmail to version 1.5.13 or later. Update Roundcube Webmail to version 1.6.13 or later.

**Name of the Vulnerable Software and Affected Versions** Roundcube Webmail versions prior to 1.5.13 Roundcube Webmail versions prior to 1.6.13 **Description** When the "Block remote images" feature is enabled, Roundcube Webmail fails to block SVG feImage elements. This can potentially allow for malicious content to be displayed to users despite the image blocking feature being active. **Recommendations** Update Roundcube Webmail to version 1.5.13 or later. Update Roundcube Webmail to version 1.6.13 or later.