Date: Sun, 12 Mar 2017 17:41:49 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Subject: Roundcube: CVE-2017-6820: XSS issue in handling of a style tag inside of an svg element Hi I have requested a CVE for the following Roundcube issue, wich got assigned CVE-2017-6820[*]. rcube_utils.php in Roundcube before 1.1.8 and before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.. https://github.com/roundcube/roundcubemail/releases/tag/1.1.8 https://github.com/roundcube/roundcubemail/releases/tag/1.2.4 https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-released Upstream fix (sequence of two commits): https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305 https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4 Regards, Salvatore [*] ideally that would be done by the upstream project on it's own before publishing an issue in case it was privately reported, since it was not immediately clear to me if one was already requested or some other vendors/distributors have done it.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ