Roundcube v1.2.10 Release Notes

Release Date: 2020-04-29 // over 2 years ago
  • โšก๏ธ This is a security update to the LTS version 1.2.
    ๐Ÿ”’ It fixes four recently reported security vulnerabilities:

    • Cross-Site Scripting (XSS) via malicious HTML content
    • CSRF attack can cause an authenticated user to be logged out
    • Remote code execution via crafted config options
    • ๐Ÿ”Œ Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

    The latter two vulnerabilities are classified minor because they only affect Roundcube installations
    with public access to the Roundcube installer. That's generally a high-risk situation and is expected
    ๐Ÿš€ to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done
    in core in order to also prevent from future and yet unknown attack vectors.

    โšก๏ธ We strongly recommend to update all productive installations of Roundcube 1.2.x.
    โšก๏ธ if you cannot upgrade to a more recent version. Please do backup your data before updating!

    ๐Ÿ”„ CHANGELOG

    • ๐Ÿ›  Fix missing message-htmlpart1 class breaking inline CSS (#6493)
    • ๐Ÿ”’ Security: Fix XSS issue in handling of CDATA in HTML messages
    • Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
    • ๐Ÿ”’ Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
    • ๐Ÿ”’ Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)