Follow @Openwall on Twitter for new release announcements and other news
[<prev] [day] [month] [year] [list] 
Message-ID: <aU_eCJDHaVTiFkal@donburi.himad.notcom.org>
Date: Sat, 27 Dec 2025 15:49:59 +0200
From: Valtteri Vuorikoski <vuori@...com.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-68460/CVE-2025-68461: Roundcube XSS + I-D prior to
 1.5.12/1.6.12

Roundcube, a PHP-based webmail frontend, released a series of security updates
on Dec 12. From the release announcement:

 * Fix Cross-Site-Scripting vulnerability via SVG’s animate tag reported by
   Valentin T., CrowdStrike.
 
 * Fix Information Disclosure vulnerability in the HTML style sanitizer reported
   by somerandomdev.

There are fixed in the newly-released versions 1.5.12 and 1.6.12. While not
mentioned in the official annoucement, these appear to be CVE-2025-68461 (7.2)
and CVE-2025-68460 (7.2) respectively.

Additionally a new 1.7 series (currently in beta) prerelease 1.7rc2 was
announced fixing the same issues.

Full announcements:
https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12
https://roundcube.net/news/2025/12/15/roundcube-1.7-rc2-released

 -Valtteri

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.