CVE-2021-46144

Name of the Vulnerable Software and Affected Versions Roundcube versions 1.4.13 and earlier, 1.5.x before 1.5.2

Description The issue allows for cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences in HTML e-mail messages. This can enable a remote attacker to conduct cross-site scripting attacks by sending a specially crafted email message. The vulnerability is related to the lack of protection measures for the web page structure when processing CSS styles.

Recommendations For versions 1.4.13 and earlier, update to version 1.4.13 or later. For versions 1.5.x before 1.5.2, update to version 1.5.2 or later. As a temporary workaround, consider restricting the processing of CSS styles in HTML email messages until a patch is available.