Roundcube v1.4.8 Release NotesRelease Date: 2020-08-10 // about 2 years ago
⚡️ This is a service and security update to the stable version 1.4 of Roundcube Webmail.
🔒 It contains fixes for recently reported security vulnerabilities as well a small number of general improvements from our issue tracker. See the full changelog below.
🔒 Security fixes
- 🛠 Fix potential XSS issue in HTML editor of the identity signature input
- 🛠 Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
- 🛠 Fix cross-site scripting (XSS) via HTML messages with malicious math content
✅ Credits for the latter two findings go to Łukasz Pilorz from Pentesters.
⚡️ This version is considered stable and we recommend to update all productive installations of Roundcube with it.
⚡️ Please do backup your data before updating!
- Managesieve: Fix too-small input field in Elastic when using custom headers (#7498)
- Fix support for an error as a string in message_before_send hook (#7475)
- Elastic: Fix redundant scrollbar in plain text editor on mail reply (#7500)
- Elastic: Fix deleted and replied+forwarded icons on messages list (#7503)
- Managesieve: Allow angle brackets in out-of-office message body (#7518)
- 🛠 Fix bug in conversion of email addresses to mailto links in plain text messages (#7526)
- 🛠 Fix
format=flowedformatting on plain text part derived from the HTML content (#7504)
- 🛠 Fix incorrect rewriting of internal links in HTML content (#7512)
- 🛠 Fix handling links without defined protocol (#7454)
- 🛠 Fix paging of search results on IMAP servers with no SORT capability (#7462)
- 🛠 Fix detecting special folders on servers with both SPECIAL-USE and LIST-STATUS (#7525)
- 🔒 Security: Fix potential XSS issue in HTML editor of the identity signature input (#7507)
- 🔒 Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg content [
- 🔒 Security: Fix cross-site scripting (XSS) via HTML messages with malicious math content