Y0Us

**Name of the Vulnerable Software and Affected Versions** Roundcube Webmail versions prior to 1.5.14 and prior to 1.6.14 **Description** An issue exists in Roundcube Webmail related to unsafe deserialization within the redis/memcache session handler. This could allow unauthenticated attackers to perform arbitrary file write operations by submitting crafted session data. **Recommendations** Update Roundcube Webmail to version 1.5.14 or later. Update Roundcube Webmail to version 1.6.14 or later.

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions prior to 1.5.14 and prior to 1.6.14 Description A flaw exists in Roundcube Webmail that allows for cross-site scripting (XSS). This occurs due to inadequate sanitization of HTML attachments when previewed. An attacker can exploit this by having a victim preview a specially crafted text/html attachment. Recommendations Update Roundcube Webmail to version 1.5.14 or later. Update Roundcube Webmail to version 1.6.14 or later.

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions 1.6.0 through 1.6.13 Description An issue exists in Roundcube Webmail where insufficient Cascading Style Sheets (CSS) sanitization in HTML email messages could lead to Server-Side Request Forgery (SSRF) or Information Disclosure. This can occur if stylesheet links point to local network hosts. Recommendations Update Roundcube Webmail to version 1.6.14 or later.

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions prior to 1.5.14 and prior to 1.6.14 Description A flaw exists in Roundcube Webmail that allows bypassing the remote image blocking feature. This bypass is achieved through a crafted `background` attribute within the `BODY` element of an email message. Successful exploitation could lead to information disclosure or access-control bypass. Recommendations Update Roundcube Webmail to version 1.5.14 or later. Update Roundcube Webmail to version 1.6.14 or later.

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions prior to 1.5.14 and prior to 1.6.14 Description A flaw exists in Roundcube Webmail where an incorrect password comparison within the password plugin can cause a type confusion. This could allow a password change without knowledge of the original password. Recommendations Update Roundcube Webmail to version 1.5.14 or later. Update Roundcube Webmail to version 1.6.14 or later.