Several security issues were fixed in Roundcube Webmail.
Software Description:
- roundcube: skinnable AJAX based webmail solution for IMAP servers - metapackage
Details:
It was discovered that Roundcube Webmail mishandled Punycode xn-- domain names.
An attacker could possibly use this issue to cause a homograph attack. (CVE-2019-15237)
It was discovered that Roundcube Webmail did not properly sanitize certain
attributes when handling CSS within HTML messages and certain SVG attributes.
An attacker could possibly use this issue to cause a cross-site scripting attack.
(CVE-2024-38356, CVE-2024-38357)
It was discovered that Roundcube Webmail did not properly sanitize certain HTML
attributes when rendering e-mail messages. An attacker could possibly use this
issue to cause a cross-site scripting attack. (CVE-2024-42008)
It was discovered that Roundcube Webmail did not properly filter certain CSS token
sequences within rendered e-mail messages. An attacker could possibly use this
...
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
roundcube-core 1.6.6+dfsg-2ubuntu0.1+esm3
Available with Ubuntu Pro
Ubuntu 22.04 LTS
roundcube-core 1.5.0+dfsg.1-2ubuntu0.1~esm6
Available with Ubuntu Pro
roundcube-plugins 1.5.0+dfsg.1-2ubuntu0.1~esm6
Available with Ubuntu Pro
Ubuntu 20.04 LTS
roundcube-core 1.4.3+dfsg.1-1ubuntu0.1~esm8
Available with Ubuntu Pro
roundcube-plugins 1.4.3+dfsg.1-1ubuntu0.1~esm8
Available with Ubuntu Pro
Ubuntu 18.04 LTS
roundcube-core 1.3.6+dfsg.1-1ubuntu0.1~esm8
Available with Ubuntu Pro
roundcube-plugins 1.3.6+dfsg.1-1ubuntu0.1~esm8
Available with Ubuntu Pro
Ubuntu 16.04 LTS
roundcube-core 1.2~beta+dfsg.1-0ubuntu1+esm8
Available with Ubuntu Pro
roundcube-plugins 1.2~beta+dfsg.1-0ubuntu1+esm8
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.https://ubuntu.com/security/notices/USN-8223-1
CVE-2019-15237, CVE-2024-38356, CVE-2024-38357, CVE-2024-42008,
CVE-2024-42010, CVE-2026-25916, CVE-2026-26079
Get the latest Linux and open source security news straight to your inbox.