| Package | roundcube |
|---|---|
| Version | 1.3.17+dfsg.1-1~deb10u7 (buster) |
| Related CVEs | CVE-2024-42008 CVE-2024-42009 CVE-2024-42010 |
Multiple cross-site scripting (XSS) vulnerabilities were discovered in Roundcube, a skinnable AJAX based webmail solution for IMAP servers, which could lead to privilege escalation, information disclosure or denial of service.
-
CVE-2024-42008: Oskar Zeino-Mahmalat discovered that Roundcube allows XSS in serving of attachments other than HTML or SVG.
-
CVE-2024-42009: Oskar Zeino-Mahmalat discovered that Roundcube allows XSS in post-processing of sanitized HTML content.
-
CVE-2024-42010: Oskar Zeino-Mahmalat discovered an information leak (access to remote content) due to insufficient CSS filtering.
For Debian 10 buster, these problems have been fixed in version 1.3.17+dfsg.1-1~deb10u7.
We recommend that you upgrade your roundcube packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.