Name of the Vulnerable Software and Affected Versions Roundcube versions prior to 1.4.3+dfsg.1-1ubuntu0.1esm7 Roundcube-core versions prior to 1.4.3+dfsg.1-1ubuntu0.1esm7 Roundcube-mysql versions prior to 1.4.3+dfsg.1-1ubuntu0.1esm7 Roundcube-pgsql versions prior to 1.4.3+dfsg.1-1ubuntu0.1esm7 Roundcube-plugins versions prior to 1.4.3+dfsg.1-1ubuntu0.1esm7 Roundcube-sqlite3 versions prior to 1.4.3+dfsg.1-1ubuntu0.1esm7

Description Roundcube Webmail did not properly sanitize the animate tag within SVG documents. This could allow an attacker to potentially cause a cross-site scripting attack. The issue initially manifested as a regression affecting the HTML sanitizer, preventing Roundcube from rendering email message bodies.

Recommendations Roundcube versions prior to 1.4.3+dfsg.1-1ubuntu0.1esm7 should be updated to version 1.4.3+dfsg.1-1ubuntu0.1esm7 or later. Roundcube-core versions prior to 1.4.3+dfsg.1-1ubuntu0.1esm7 should be updated to version 1.4.3+dfsg.1-1ubuntu0.1esm7 or later. Roundcube-mysql versions prior to 1.4.3+dfsg.1-1ubuntu0.1esm7 should be updated to version 1.4.3+dfsg.1-1ubuntu0.1esm7 or later. Roundcube-pgsql versions prior to 1.4.3+dfsg.1-1ubuntu0.1esm7 should be updated to version 1.4.3+dfsg.1-1ubuntu0.1esm7 or later. Roundcube-plugins versions prior to 1.4.3+dfsg.1-1ubuntu0.1esm7 should be updated to version 1.4.3+dfsg.1-1ubuntu0.1esm7 or later. Roundcube-sqlite3 versions prior to 1.4.3+dfsg.1-1ubuntu0.1esm7 should be updated to version 1.4.3+dfsg.1-1ubuntu0.1esm7 or later. Run sudo pro fix USN-8097-2 to apply the fix.