Alerts This Week
Warning Icon 1 916
Alerts This Week
Warning Icon 1 916

Debian 10: DLA-3835-1 Severe: Roundcube Cross-Site Scripting Risks

debian lts
Calendar Grey June 17, 2024
Dist Debian Esm H88
The Debian LTS advisory DLA-3836-1 highlights critical vulnerabilities in the DokuWiki software. Users are urged to perform updates to enhance system security.
Cross-site scripting (XSS) vulnerabilities were discovered in Roundcube, a skinnable AJAX based webmail solution for IMAP servers, which could allow a remote attacker to load arbit...
Topics%20covered

Topics Covered

security advisory debian cross-site scripting upgrade recommendation webmail information disclosure roundcube

Summary

CVE-2024-37383

Valentin T. and Lutz Wolf of CrowdStrike discovered that Roundcube
allows XSS via SVG animate attributes.

CVE-2024-37384

Huy Nguyễn Phạm Nhật discovered that Roundcube allows XSS via list
columns from user preferences.

For Debian 10 buster, these problems have been fixed in version
1.3.17+dfsg.1-1~deb10u6.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/roundcube

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Package: roundcube
Version: 1.3.17+dfsg.1-1~deb10u6
CVE ID: CVE-2024-37383 CVE-2024-37384
Debian Bug: 1071474

Topics%20covered

Topics Covered

security advisory debian cross-site scripting upgrade recommendation webmail information disclosure roundcube

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here