Security Information / 2023 / Security Information -- DSA-5531-1 roundcube

Debian Security Advisory

DSA-5531-1 roundcube -- security update

Date Reported:

23 Oct 2023

Affected Packages:

roundcube

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 1054079.
In Mitre's CVE dictionary: CVE-2023-5631.

More information:

It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize HTML messages. This would allow an attacker to load arbitrary JavaScript code.

For the oldstable distribution (bullseye), this problem has been fixed in version 1.4.15+dfsg.1-1~deb11u1.

For the stable distribution (bookworm), this problem has been fixed in version 1.6.4+dfsg-1~deb12u1.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to its security tracker page at: https://security-tracker.debian.org/tracker/roundcube