RoundCube Webmail is a browser-based, multilingual IMAP client. Its extensive feature set includes MIME support, address books, folder manipulation, message searching, spell checking, and more.
A cross-site scripting (XSS) vulnerability tracked as CVE-2023-43770 in Roundcube has been found, which might result in information leakage through malicious link references in plain/text communications.
Roundcube Webmail 1.6.3 is now available. It offers a patch for a recently discovered XSS vulnerability reported by Niraj Shivtarkar.
“We just published a security update to version 1.6 of Roundcube Webmail. According to the release notes, it provides a fix to a recently reported XSS vulnerability”.
Among other features, Roundcube Webmail supports internationalized domain names, shared folders and namespaces, and SMTP delivery status notifications. Also, the IMAP folders’ user interface has been changed to allow more space for extensions and plug-ins.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Changelog For Version 1.6.3
- Fix bug where installto.sh/update.sh scripts were removing some essential options from the config file (#9051)
- Update jQuery-UI to version 1.13.2 (#9041)
- Fix regression that broke use_secure_urls feature (#9052)
- Fix potential PHP fatal error when opening a message with message/rfc822 part (#8953)
- Fix bug where a duplicate
tag in HTML email could cause some parts to be cut off (#9029)</li> <li>Fix bug where a list of folders could have been sorted incorrectly (#9057)</li> <li>Fix regression where LDAP addressbook ‘filter’ option was ignored (#9061)</li> <li>Fix wrong order of a multi-folder search result when sorting by size (#9065)</li> <li>Fix so install/update scripts do not require PEAR (#9037)</li> <li>Fix regression where some mail parts could have been decoded incorrectly, or not at all (#9096)</li> <li>Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to non-binary FETCH (#9097)</li> <li>Fix PHP8 deprecation warning in the reconnect plugin (#9083)</li> <li>Fix “Show source” on mobile with x_frame_options = deny (#9084)</li> <li>Fix various PHP warnings (#9098)</li> <li>Fix deprecated use of ldap_connect() in password’s ldap_simple driver (#9060)</li> <li>Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages</li> </ul> <p>The remote Debian 10 host has packages installed that are affected by this vulnerability. </p> <h2 class="wp-block-heading" id="h-fix-available"><strong>Fix Available</strong></h2> <p>Roundcube Webmail 1.6.3 is considered stable and it is recommended to update all productive installations of Roundcube 1.6.x with it.</p> <p>For Debian 10 buster, this problem has been fixed in version 1.3.17+dfsg.1-1~deb10u3.</p> <p>Hence, it is recommended that you upgrade your roundcube packages.</p> <p class="has-text-align-center has-background" style="background-color:#f4f4f4"><strong>Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, <a rel="nofollow noopener" target="_blank" href="https://twitter.com/The_Cyber_News">Twitter</a>, and Facebook.</strong></p> <p><!-- AI CONTENT END 1 --> </div> <p><script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script><br /> <br /><br /> <br /><a href="https://cybersecuritynews.com/roundcube-webmail-xss-vulnerability/" target="_blank" rel="noopener">Source link </a></p> </div><!-- .entry-content --> </div> </article> <nav class="navigation post-navigation" aria-label="Posts"> <h2 class="screen-reader-text">Post navigation</h2> <div class="nav-links"><div class="nav-previous"><a href="https://cybernoz.com/bind-dns-system-flaws-let-attacker-launch-dos-attacks/" rel="prev">BIND DNS system Flaws Let Attacker Launch DoS Attacks →</a></div><div class="nav-next"><a href="https://cybernoz.com/new-stealthy-and-modular-deadglyph-malware-used-in-govt-attacks/" rel="next">← New stealthy and modular Deadglyph malware used in govt attacks</a></div></div> </nav> <div class="clear"></div> </div><!--/#gridhot-posts-wrapper --> </div> </div> </div><!-- /#gridhot-main-wrapper --> <div class="gridhot-sidebar-one-wrapper gridhot-sidebar-widget-areas gridhot-clearfix" id="gridhot-sidebar-one-wrapper" itemscope="itemscope" itemtype="http://schema.org/WPSideBar" role="complementary"> <div class="theiaStickySidebar"> <div class="gridhot-sidebar-one-wrapper-inside gridhot-clearfix"> <div id="block-3" class="gridhot-side-widget widget gridhot-widget-box widget_block"><div class="gridhot-widget-box-inside"> <div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow"> <h2 class="wp-block-heading">Latest Posts</h2> <ul class="wp-block-latest-posts__list wp-block-latest-posts"><li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/25000-forticloud-sso-enabled-systems-vulnerable-to-remote-exploitation/">25,000+ FortiCloud SSO-Enabled Systems Vulnerable to Remote Exploitation</a></li> <li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/hackers-weaponize-svg-files-and-office-documents-to-target-windows-users/">Hackers Weaponize SVG Files and Office Documents to Target Windows Users</a></li> <li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/scripted-sparrow-utilizes-automation-to-generate-and-dispatch-attack-messages/">Scripted Sparrow Utilizes Automation to Generate and Dispatch Attack Messages</a></li> <li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/heres-whats-in-the-dojs-epstein-file-release-and-whats-missing/">Here’s What’s in the DOJ’s Epstein File Release—and What’s Missing</a></li> <li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/new-kibana-vulnerabilities-allow-attackers-to-embed-malicious-scripts/">New Kibana Vulnerabilities Allow Attackers to Embed Malicious Scripts</a></li> </ul></div></div> </div></div> </div> </div> </div><!-- /#gridhot-sidebar-one-wrapper--> </div> </div><!--/#gridhot-content-wrapper --> </div><!--/#gridhot-wrapper --> <div class='gridhot-clearfix' id='gridhot-copyright-area'> <div class='gridhot-copyright-area-inside gridhot-container'> <div class="gridhot-outer-wrapper"> <div class='gridhot-copyright-area-inside-content gridhot-clearfix'> <p class='gridhot-copyright'>Copyright © 2025 Cybernoz - Cybersecurity News</p> <p class='gridhot-credit'><a href="https://themesdna.com/">Design by ThemesDNA.com</a></p> </div> </div> </div> </div><!--/#gridhot-copyright-area --> <button class="gridhot-scroll-top" title="Scroll to Top"><i class="fas fa-arrow-up" aria-hidden="true"></i><span class="gridhot-sr-only">Scroll to Top</span></button> <noscript> <div> <img src="https://mc.yandex.ru/watch/102510865" style="position:absolute; left:-9999px;" alt=""/> </div> </noscript> <script type="speculationrules"> {"prefetch":[{"source":"document","where":{"and":[{"href_matches":"/*"},{"not":{"href_matches":["/wp-*.php","/wp-admin/*","/wp-content/uploads/*","/wp-content/*","/wp-content/plugins/*","/wp-content/themes/gridhot/*","/*\\?(.+)"]}},{"not":{"selector_matches":"a[rel~=\"nofollow\"]"}},{"not":{"selector_matches":".no-prefetch, .no-prefetch a"}}]},"eagerness":"conservative"}]} </script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/plugins/wp-yandex-metrika/assets/contactFormSeven.min.js?ver=1.2.2" id="wp-yandex-metrika_contact-form-7-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-includes/js/dist/hooks.min.js?ver=dd5603f07f9220ed27f1" id="wp-hooks-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-includes/js/dist/i18n.min.js?ver=c26c3dc7bed366793375" id="wp-i18n-js"></script> <script type="text/javascript" id="wp-i18n-js-after"> /* <![CDATA[ */ wp.i18n.setLocaleData( { 'text direction\u0004ltr': [ 'ltr' ] } ); //# sourceURL=wp-i18n-js-after /* ]]> */ </script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js?ver=6.1.4" id="swv-js"></script> <script type="text/javascript" id="contact-form-7-js-before"> /* <![CDATA[ */ var wpcf7 = { "api": { "root": "https:\/\/cybernoz.com\/wp-json\/", "namespace": "contact-form-7\/v1" } }; //# sourceURL=contact-form-7-js-before /* ]]> */ </script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=6.1.4" id="contact-form-7-js"></script> <script type="text/javascript" src="https://challenges.cloudflare.com/turnstile/v0/api.js" id="cloudflare-turnstile-js" data-wp-strategy="async"></script> <script type="text/javascript" id="cloudflare-turnstile-js-after"> /* <![CDATA[ */ document.addEventListener( 'wpcf7submit', e => turnstile.reset() ); //# sourceURL=cloudflare-turnstile-js-after /* ]]> */ </script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/themes/gridhot/assets/js/ResizeSensor.min.js" id="ResizeSensor-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/themes/gridhot/assets/js/theia-sticky-sidebar.min.js" id="theia-sticky-sidebar-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/themes/gridhot/assets/js/navigation.js" id="gridhot-navigation-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/themes/gridhot/assets/js/skip-link-focus-fix.js" id="gridhot-skip-link-focus-fix-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-includes/js/imagesloaded.min.js?ver=5.0.0" id="imagesloaded-js"></script> <script type="text/javascript" id="gridhot-customjs-js-extra"> /* <![CDATA[ */ var gridhot_ajax_object = {"ajaxurl":"https://cybernoz.com/wp-admin/admin-ajax.php","primary_menu_active":"1","secondary_menu_active":"1","sticky_sidebar_active":"1","fitvids_active":"","backtotop_active":"1"}; //# sourceURL=gridhot-customjs-js-extra /* ]]> */ </script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/themes/gridhot/assets/js/custom.js" id="gridhot-customjs-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/plugins/mousewheel-smooth-scroll/js/lenis.min.js?ver=1.1.19" id="lenis-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/uploads/wpmss/lenis-init.min.js?ver=1741843726" id="lenis-init-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/plugins/google-site-kit/dist/assets/js/googlesitekit-events-provider-contact-form-7-40476021fb6e59177033.js" id="googlesitekit-events-provider-contact-form-7-js" defer></script> <script id="wp-emoji-settings" type="application/json"> {"baseUrl":"https://s.w.org/images/core/emoji/17.0.2/72x72/","ext":".png","svgUrl":"https://s.w.org/images/core/emoji/17.0.2/svg/","svgExt":".svg","source":{"concatemoji":"https://cdn.cybernoz.com/wp-includes/js/wp-emoji-release.min.js?ver=6.9"}} </script> <script type="module"> /* <![CDATA[ */ /*! This file is auto-generated */ const a=JSON.parse(document.getElementById("wp-emoji-settings").textContent),o=(window._wpemojiSettings=a,"wpEmojiSettingsSupports"),s=["flag","emoji"];function i(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function c(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data);e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0);const a=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data);return t.every((e,t)=>e===a[t])}function p(e,t){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var n=e.getImageData(16,16,1,1);for(let e=0;e<n.data.length;e++)if(0!==n.data[e])return!1;return!0}function u(e,t,n,a){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\udde8\ud83c\uddf6","\ud83c\udde8\u200b\ud83c\uddf6")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!a(e,"\ud83e\u1fac8")}return!1}function f(e,t,n,a){let r;const o=(r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):document.createElement("canvas")).getContext("2d",{willReadFrequently:!0}),s=(o.textBaseline="top",o.font="600 32px Arial",{});return e.forEach(e=>{s[e]=t(o,e,n,a)}),s}function r(e){var t=document.createElement("script");t.src=e,t.defer=!0,document.head.appendChild(t)}a.supports={everything:!0,everythingExceptFlag:!0},new Promise(t=>{let n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),c.toString(),p.toString()].join(",")+"));",a=new Blob([e],{type:"text/javascript"});const r=new Worker(URL.createObjectURL(a),{name:"wpTestEmojiSupports"});return void(r.onmessage=e=>{i(n=e.data),r.terminate(),t(n)})}catch(e){}i(n=f(s,u,c,p))}t(n)}).then(e=>{for(const n in e)a.supports[n]=e[n],a.supports.everything=a.supports.everything&&a.supports[n],"flag"!==n&&(a.supports.everythingExceptFlag=a.supports.everythingExceptFlag&&a.supports[n]);var t;a.supports.everythingExceptFlag=a.supports.everythingExceptFlag&&!a.supports.flag,a.supports.everything||((t=a.source||{}).concatemoji?r(t.concatemoji):t.wpemoji&&t.twemoji&&(r(t.twemoji),r(t.wpemoji)))}); //# sourceURL=https://cybernoz.com/wp-includes/js/wp-emoji-loader.min.js /* ]]> */ </script> </body> </html> <!-- Page supported by LiteSpeed Cache 7.7 on 2025-12-20 12:09:51 --><script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="c4be1e3bcf3291752777d765-|49" defer></script>