RoundCube Webmail is a browser-based, multilingual IMAP client. Its extensive feature set includes MIME support, address books, folder manipulation, message searching, spell checking, and more.
A cross-site scripting (XSS) vulnerability tracked as CVE-2023-43770 in Roundcube has been found, which might result in information leakage through malicious link references in plain/text communications.
Roundcube Webmail 1.6.3 is now available. It offers a patch for a recently discovered XSS vulnerability reported by Niraj Shivtarkar.
“We just published a security update to version 1.6 of Roundcube Webmail. According to the release notes, it provides a fix to a recently reported XSS vulnerability”.
Among other features, Roundcube Webmail supports internationalized domain names, shared folders and namespaces, and SMTP delivery status notifications. Also, the IMAP folders’ user interface has been changed to allow more space for extensions and plug-ins.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Changelog For Version 1.6.3
- Fix bug where installto.sh/update.sh scripts were removing some essential options from the config file (#9051)
- Update jQuery-UI to version 1.13.2 (#9041)
- Fix regression that broke use_secure_urls feature (#9052)
- Fix potential PHP fatal error when opening a message with message/rfc822 part (#8953)
- Fix bug where a duplicate
tag in HTML email could cause some parts to be cut off (#9029)</li> <li>Fix bug where a list of folders could have been sorted incorrectly (#9057)</li> <li>Fix regression where LDAP addressbook ‘filter’ option was ignored (#9061)</li> <li>Fix wrong order of a multi-folder search result when sorting by size (#9065)</li> <li>Fix so install/update scripts do not require PEAR (#9037)</li> <li>Fix regression where some mail parts could have been decoded incorrectly, or not at all (#9096)</li> <li>Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to non-binary FETCH (#9097)</li> <li>Fix PHP8 deprecation warning in the reconnect plugin (#9083)</li> <li>Fix “Show source” on mobile with x_frame_options = deny (#9084)</li> <li>Fix various PHP warnings (#9098)</li> <li>Fix deprecated use of ldap_connect() in password’s ldap_simple driver (#9060)</li> <li>Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages</li> </ul> <p>The remote Debian 10 host has packages installed that are affected by this vulnerability. </p> <h2 class="wp-block-heading" id="h-fix-available"><strong>Fix Available</strong></h2> <p>Roundcube Webmail 1.6.3 is considered stable and it is recommended to update all productive installations of Roundcube 1.6.x with it.</p> <p>For Debian 10 buster, this problem has been fixed in version 1.3.17+dfsg.1-1~deb10u3.</p> <p>Hence, it is recommended that you upgrade your roundcube packages.</p> <p class="has-text-align-center has-background" style="background-color:#f4f4f4"><strong>Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, <a rel="nofollow noopener" target="_blank" href="https://twitter.com/The_Cyber_News">Twitter</a>, and Facebook.</strong></p> <p><!-- AI CONTENT END 1 --> </div> <p><script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script><br /> <br /><br /> <br /><a href="https://cybersecuritynews.com/roundcube-webmail-xss-vulnerability/" target="_blank" rel="noopener">Source link </a></p> </div><!-- .entry-content --> </div> </article> <nav class="navigation post-navigation" aria-label="Posts"> <h2 class="screen-reader-text">Post navigation</h2> <div class="nav-links"><div class="nav-previous"><a href="https://cybernoz.com/bind-dns-system-flaws-let-attacker-launch-dos-attacks/" rel="prev">BIND DNS system Flaws Let Attacker Launch DoS Attacks →</a></div><div class="nav-next"><a href="https://cybernoz.com/new-stealthy-and-modular-deadglyph-malware-used-in-govt-attacks/" rel="next">← New stealthy and modular Deadglyph malware used in govt attacks</a></div></div> </nav> <div class="clear"></div> </div><!--/#gridhot-posts-wrapper --> </div> </div> </div><!-- /#gridhot-main-wrapper --> <div class="gridhot-sidebar-one-wrapper gridhot-sidebar-widget-areas gridhot-clearfix" id="gridhot-sidebar-one-wrapper" itemscope="itemscope" itemtype="http://schema.org/WPSideBar" role="complementary"> <div class="theiaStickySidebar"> <div class="gridhot-sidebar-one-wrapper-inside gridhot-clearfix"> <div id="block-3" class="gridhot-side-widget widget gridhot-widget-box widget_block"><div class="gridhot-widget-box-inside"> <div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow"> <h2 class="wp-block-heading">Latest Posts</h2> <ul class="wp-block-latest-posts__list wp-block-latest-posts"><li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/w3-total-cache-wordpress-plugin-vulnerable-to-php-command-injection/">W3 Total Cache WordPress plugin vulnerable to PHP command injection</a></li> <li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/seraphic-becomes-the-first-and-only-secure-enterprise-browser-solution-to-protect-electron-based-applications-2/">Seraphic Becomes the First and Only Secure Enterprise Browser Solution to Protect Electron-Based Applications</a></li> <li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/cloudflare-contrite-after-worst-outage-since-2019/">Cloudflare contrite after worst outage since 2019</a></li> <li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/exploiting-a-pre-auth-rce-in-w3-total-cache-for-wordpress-cve-2025-9501/">Exploiting A Pre-Auth RCE in W3 Total Cache For WordPress (CVE-2025-9501)</a></li> <li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/us-allies-sanction-russian-bulletproof-hosting-firm/">US, allies sanction Russian bulletproof hosting firm</a></li> </ul></div></div> </div></div> </div> </div> </div><!-- /#gridhot-sidebar-one-wrapper--> </div> </div><!--/#gridhot-content-wrapper --> </div><!--/#gridhot-wrapper --> <div class='gridhot-clearfix' id='gridhot-copyright-area'> <div class='gridhot-copyright-area-inside gridhot-container'> <div class="gridhot-outer-wrapper"> <div class='gridhot-copyright-area-inside-content gridhot-clearfix'> <p class='gridhot-copyright'>Copyright © 2025 Cybernoz - Cybersecurity News</p> <p class='gridhot-credit'><a href="https://themesdna.com/">Design by ThemesDNA.com</a></p> </div> </div> </div> </div><!--/#gridhot-copyright-area --> <button class="gridhot-scroll-top" title="Scroll to Top"><i class="fas fa-arrow-up" aria-hidden="true"></i><span class="gridhot-sr-only">Scroll to Top</span></button> <noscript> <div> <img src="https://mc.yandex.ru/watch/102510865" style="position:absolute; left:-9999px;" alt=""/> </div> </noscript> <script type="speculationrules"> {"prefetch":[{"source":"document","where":{"and":[{"href_matches":"\/*"},{"not":{"href_matches":["\/wp-*.php","\/wp-admin\/*","\/wp-content\/uploads\/*","\/wp-content\/*","\/wp-content\/plugins\/*","\/wp-content\/themes\/gridhot\/*","\/*\\?(.+)"]}},{"not":{"selector_matches":"a[rel~=\"nofollow\"]"}},{"not":{"selector_matches":".no-prefetch, .no-prefetch a"}}]},"eagerness":"conservative"}]} </script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/plugins/wp-yandex-metrika/assets/contactFormSeven.min.js?ver=1.2.2" id="wp-yandex-metrika_contact-form-7-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-includes/js/dist/hooks.min.js?ver=4d63a3d491d11ffd8ac6" id="wp-hooks-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-includes/js/dist/i18n.min.js?ver=5e580eb46a90c2b997e6" id="wp-i18n-js"></script> <script type="text/javascript" id="wp-i18n-js-after"> /* <![CDATA[ */ wp.i18n.setLocaleData( { 'text direction\u0004ltr': [ 'ltr' ] } ); /* ]]> */ </script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js?ver=6.1.3" id="swv-js"></script> <script type="text/javascript" id="contact-form-7-js-before"> /* <![CDATA[ */ var wpcf7 = { "api": { "root": "https:\/\/cybernoz.com\/wp-json\/", "namespace": "contact-form-7\/v1" } }; /* ]]> */ </script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=6.1.3" id="contact-form-7-js"></script> <script type="text/javascript" src="https://challenges.cloudflare.com/turnstile/v0/api.js" id="cloudflare-turnstile-js" data-wp-strategy="async"></script> <script type="text/javascript" id="cloudflare-turnstile-js-after"> /* <![CDATA[ */ document.addEventListener( 'wpcf7submit', e => turnstile.reset() ); /* ]]> */ </script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/themes/gridhot/assets/js/ResizeSensor.min.js" id="ResizeSensor-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/themes/gridhot/assets/js/theia-sticky-sidebar.min.js" id="theia-sticky-sidebar-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/themes/gridhot/assets/js/navigation.js" id="gridhot-navigation-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/themes/gridhot/assets/js/skip-link-focus-fix.js" id="gridhot-skip-link-focus-fix-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-includes/js/imagesloaded.min.js?ver=5.0.0" id="imagesloaded-js"></script> <script type="text/javascript" id="gridhot-customjs-js-extra"> /* <![CDATA[ */ var gridhot_ajax_object = {"ajaxurl":"https:\/\/cybernoz.com\/wp-admin\/admin-ajax.php","primary_menu_active":"1","secondary_menu_active":"1","sticky_sidebar_active":"1","fitvids_active":"","backtotop_active":"1"}; /* ]]> */ </script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/themes/gridhot/assets/js/custom.js" id="gridhot-customjs-js"></script> <script type="text/javascript" id="gridhot-html5shiv-js-js-extra"> /* <![CDATA[ */ var gridhot_custom_script_vars = {"elements_name":"abbr article aside audio bdi canvas data datalist details dialog figcaption figure footer header hgroup main mark meter nav output picture progress section summary template time video"}; /* ]]> */ </script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/themes/gridhot/assets/js/html5shiv.js" id="gridhot-html5shiv-js-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/plugins/mousewheel-smooth-scroll/js/lenis.min.js?ver=1.1.19" id="lenis-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/uploads/wpmss/lenis-init.min.js?ver=1741843726" id="lenis-init-js"></script> <script type="text/javascript" src="https://cdn.cybernoz.com/wp-content/plugins/google-site-kit/dist/assets/js/googlesitekit-events-provider-contact-form-7-40476021fb6e59177033.js" id="googlesitekit-events-provider-contact-form-7-js" defer></script> </body> </html> <!-- Page supported by LiteSpeed Cache 7.6.2 on 2025-11-19 21:01:20 --><script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="4c96059aacde552d3ab86021-|49" defer></script>