RoundCube Webmail is a browser-based, multilingual IMAP client. Its extensive feature set includes MIME support, address books, folder manipulation, message searching, spell checking, and more.
A cross-site scripting (XSS) vulnerability tracked as CVE-2023-43770 in Roundcube has been found, which might result in information leakage through malicious link references in plain/text communications.
Roundcube Webmail 1.6.3 is now available. It offers a patch for a recently discovered XSS vulnerability reported by Niraj Shivtarkar.
“We just published a security update to version 1.6 of Roundcube Webmail. According to the release notes, it provides a fix to a recently reported XSS vulnerability”.
Among other features, Roundcube Webmail supports internationalized domain names, shared folders and namespaces, and SMTP delivery status notifications. Also, the IMAP folders’ user interface has been changed to allow more space for extensions and plug-ins.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Changelog For Version 1.6.3
- Fix bug where installto.sh/update.sh scripts were removing some essential options from the config file (#9051)
- Update jQuery-UI to version 1.13.2 (#9041)
- Fix regression that broke use_secure_urls feature (#9052)
- Fix potential PHP fatal error when opening a message with message/rfc822 part (#8953)
- Fix bug where a duplicate
tag in HTML email could cause some parts to be cut off (#9029)</li> <li>Fix bug where a list of folders could have been sorted incorrectly (#9057)</li> <li>Fix regression where LDAP addressbook ‘filter’ option was ignored (#9061)</li> <li>Fix wrong order of a multi-folder search result when sorting by size (#9065)</li> <li>Fix so install/update scripts do not require PEAR (#9037)</li> <li>Fix regression where some mail parts could have been decoded incorrectly, or not at all (#9096)</li> <li>Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to non-binary FETCH (#9097)</li> <li>Fix PHP8 deprecation warning in the reconnect plugin (#9083)</li> <li>Fix “Show source” on mobile with x_frame_options = deny (#9084)</li> <li>Fix various PHP warnings (#9098)</li> <li>Fix deprecated use of ldap_connect() in password’s ldap_simple driver (#9060)</li> <li>Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages</li> </ul> <p>The remote Debian 10 host has packages installed that are affected by this vulnerability. </p> <h2 class="wp-block-heading" id="h-fix-available"><strong>Fix Available</strong></h2> <p>Roundcube Webmail 1.6.3 is considered stable and it is recommended to update all productive installations of Roundcube 1.6.x with it.</p> <p>For Debian 10 buster, this problem has been fixed in version 1.3.17+dfsg.1-1~deb10u3.</p> <p>Hence, it is recommended that you upgrade your roundcube packages.</p> <p class="has-text-align-center has-background" style="background-color:#f4f4f4"><strong>Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, <a rel="nofollow noopener" target="_blank" href="https://twitter.com/The_Cyber_News">Twitter</a>, and Facebook.</strong></p> <p><!-- AI CONTENT END 1 --> </div> <p><script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script><br /> <br /><br /> <br /><a href="https://cybersecuritynews.com/roundcube-webmail-xss-vulnerability/">Source link </a></p> </div><!-- .entry-content --> </div> </article> <nav class="navigation post-navigation" aria-label="Posts"> <h2 class="screen-reader-text">Post navigation</h2> <div class="nav-links"><div class="nav-previous"><a href="https://cybernoz.com/bind-dns-system-flaws-let-attacker-launch-dos-attacks/" rel="prev">BIND DNS system Flaws Let Attacker Launch DoS Attacks →</a></div><div class="nav-next"><a href="https://cybernoz.com/new-stealthy-and-modular-deadglyph-malware-used-in-govt-attacks/" rel="next">← New stealthy and modular Deadglyph malware used in govt attacks</a></div></div> </nav> <div class="clear"></div> </div><!--/#gridhot-posts-wrapper --> </div> </div> </div><!-- /#gridhot-main-wrapper --> <div class="gridhot-sidebar-one-wrapper gridhot-sidebar-widget-areas gridhot-clearfix" id="gridhot-sidebar-one-wrapper" itemscope="itemscope" itemtype="http://schema.org/WPSideBar" role="complementary"> <div class="theiaStickySidebar"> <div class="gridhot-sidebar-one-wrapper-inside gridhot-clearfix"> <div id="block-3" class="gridhot-side-widget widget gridhot-widget-box widget_block"><div class="gridhot-widget-box-inside"> <div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow"> <h2 class="wp-block-heading">Latest Posts</h2> <ul class="wp-block-latest-posts__list wp-block-latest-posts"><li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/linkedin-halts-ai-model-training-in-the-uk/">LinkedIn Halts AI Model Training In The UK</a></li> <li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/the-tor-project-responded-to-claims-that-law-enforcement-can-deanonymize-tor-users/">The Tor Project responded to claims that law enforcement can deanonymize Tor users</a></li> <li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/microsoft-ends-development-of-windows-server-update-services-wsus/">Microsoft ends development of Windows Server Update Services (WSUS)</a></li> <li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/windows-server-2025-previews-security-updates-without-restarts/">Windows Server 2025 previews security updates without restarts</a></li> <li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/supreme-court-youtube-channel-hacked-xrp-videos-posted/">Supreme Court YouTube Channel Hacked, XRP Videos Posted</a></li> </ul></div></div> </div></div><div id="custom_html-2" class="widget_text gridhot-side-widget widget gridhot-widget-box widget_custom_html"><div class="widget_text gridhot-widget-box-inside"><div class="gridhot-widget-header"><div class="gridhot-widget-header-inside"><h2 class="gridhot-widget-title"><span class="gridhot-widget-title-inside">Social?</span></h2></div></div><div class="textwidget custom-html-widget"><script type="text/javascript"> atOptions = { 'key' : 'd763fe6a6c5ebe5ea235b8650bdb1880', 'format' : 'iframe', 'height' : 600, 'width' : 160, 'params' : {} }; </script> <script type="text/javascript" src="//www.topcreativeformat.com/d763fe6a6c5ebe5ea235b8650bdb1880/invoke.js"></script></div></div></div> </div> </div> </div><!-- /#gridhot-sidebar-one-wrapper--> </div> </div><!--/#gridhot-content-wrapper --> </div><!--/#gridhot-wrapper --> <div class='gridhot-clearfix' id='gridhot-copyright-area'> <div class='gridhot-copyright-area-inside gridhot-container'> <div class="gridhot-outer-wrapper"> <div class='gridhot-copyright-area-inside-content gridhot-clearfix'> <p class='gridhot-copyright'>Copyright © 2024 Cybernoz</p> <p class='gridhot-credit'><a href="https://themesdna.com/">Design by ThemesDNA.com</a></p> </div> </div> </div> </div><!--/#gridhot-copyright-area --> <button class="gridhot-scroll-top" title="Scroll to Top"><i class="fas fa-arrow-up" aria-hidden="true"></i><span class="gridhot-sr-only">Scroll to Top</span></button> <link rel='stylesheet' id='whp3646tw-bs4.css-css' href='https://cybernoz.com/wp-content/plugins/wp-security-hardening/modules/inc/assets/css/tw-bs4.css' type='text/css' media='all' /> <link rel='stylesheet' id='whp7562font-awesome.min.css-css' href='https://cybernoz.com/wp-content/plugins/wp-security-hardening/modules/inc/fa/css/font-awesome.min.css' type='text/css' media='all' /> <link rel='stylesheet' id='whp5068front.css-css' href='https://cybernoz.com/wp-content/plugins/wp-security-hardening/modules/css/front.css' type='text/css' media='all' /> <script type="text/javascript" src="https://cybernoz.com/wp-includes/js/dist/hooks.min.js" id="wp-hooks-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-includes/js/dist/i18n.min.js" id="wp-i18n-js"></script> <script type="text/javascript" id="wp-i18n-js-after"> /* <![CDATA[ */ wp.i18n.setLocaleData( { 'text direction\u0004ltr': [ 'ltr' ] } ); /* ]]> */ </script> <script type="text/javascript" src="https://cybernoz.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js" id="swv-js"></script> <script type="text/javascript" id="contact-form-7-js-extra"> /* <![CDATA[ */ var wpcf7 = {"api":{"root":"https:\/\/cybernoz.com\/wp-json\/","namespace":"contact-form-7\/v1"}}; /* ]]> */ </script> <script type="text/javascript" src="https://cybernoz.com/wp-content/plugins/contact-form-7/includes/js/index.js" id="contact-form-7-js"></script> <script type="text/javascript" id="swcfpc_auto_prefetch_url-js-before"> /* <![CDATA[ */ function swcfpc_wildcard_check(str, rule) { let escapeRegex = (str) => str.replace(/([.*+?^=!:${}()|\[\]\/\\])/g, "\\$1"); return new RegExp("^" + rule.split("*").map(escapeRegex).join(".*") + "$").test(str); } function swcfpc_can_url_be_prefetched(href) { if( href.length == 0 ) return false; if( href.startsWith("mailto:") ) return false; if( href.startsWith("https://") ) href = href.split("https://"+location.host)[1]; else if( href.startsWith("http://") ) href = href.split("http://"+location.host)[1]; for( let i=0; i < swcfpc_prefetch_urls_to_exclude.length; i++) { if( swcfpc_wildcard_check(href, swcfpc_prefetch_urls_to_exclude[i]) ) return false; } return true; } let swcfpc_prefetch_urls_to_exclude = '["\/*ao_noptirocket*","\/*jetpack=comms*","\/*kinsta-monitor*","*ao_speedup_cachebuster*","\/*removed_item*","\/my-account*","\/wc-api\/*","\/edd-api\/*","\/wp-json*"]'; swcfpc_prefetch_urls_to_exclude = (swcfpc_prefetch_urls_to_exclude) ? JSON.parse(swcfpc_prefetch_urls_to_exclude) : []; /* ]]> */ </script> <script type="module" src="https://cybernoz.com/wp-content/plugins/wp-cloudflare-page-cache/assets/js/instantpage.min.js" defer id="swcfpc_instantpage-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/gridhot/assets/js/jquery.fitvids.min.js" id="fitvids-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/gridhot/assets/js/ResizeSensor.min.js" id="ResizeSensor-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/gridhot/assets/js/theia-sticky-sidebar.min.js" id="theia-sticky-sidebar-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/gridhot/assets/js/navigation.js" id="gridhot-navigation-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/gridhot/assets/js/skip-link-focus-fix.js" id="gridhot-skip-link-focus-fix-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-includes/js/imagesloaded.min.js" id="imagesloaded-js"></script> <script type="text/javascript" id="gridhot-customjs-js-extra"> /* <![CDATA[ */ var gridhot_ajax_object = {"ajaxurl":"https:\/\/cybernoz.com\/wp-admin\/admin-ajax.php","primary_menu_active":"1","secondary_menu_active":"1","sticky_sidebar_active":"1","fitvids_active":"1","backtotop_active":"1"}; /* ]]> */ </script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/gridhot/assets/js/custom.js" id="gridhot-customjs-js"></script> <script type="text/javascript" id="gridhot-html5shiv-js-js-extra"> /* <![CDATA[ */ var gridhot_custom_script_vars = {"elements_name":"abbr article aside audio bdi canvas data datalist details dialog figcaption figure footer header hgroup main mark meter nav output picture progress section summary template time video"}; /* ]]> */ </script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/gridhot/assets/js/html5shiv.js" id="gridhot-html5shiv-js-js"></script> <script id="swcfpc"> const swcfpc_prefetch_urls_timestamp_server = '1726873538'; let swcfpc_prefetched_urls = localStorage.getItem("swcfpc_prefetched_urls"); swcfpc_prefetched_urls = (swcfpc_prefetched_urls) ? JSON.parse(swcfpc_prefetched_urls) : []; let swcfpc_prefetch_urls_timestamp_client = localStorage.getItem("swcfpc_prefetch_urls_timestamp_client"); if (swcfpc_prefetch_urls_timestamp_client == undefined || swcfpc_prefetch_urls_timestamp_client != swcfpc_prefetch_urls_timestamp_server) { swcfpc_prefetch_urls_timestamp_client = swcfpc_prefetch_urls_timestamp_server; swcfpc_prefetched_urls = new Array(); localStorage.setItem("swcfpc_prefetched_urls", JSON.stringify(swcfpc_prefetched_urls)); localStorage.setItem("swcfpc_prefetch_urls_timestamp_client", swcfpc_prefetch_urls_timestamp_client); } function swcfpc_element_is_in_viewport(element) { let bounding = element.getBoundingClientRect(); if (bounding.top >= 0 && bounding.left >= 0 && bounding.right <= (window.innerWidth || document.documentElement.clientWidth) && bounding.bottom <= (window.innerHeight || document.documentElement.clientHeight)) return true; return false; } function swcfpc_prefetch_urls() { let comp = new RegExp(location.host); document.querySelectorAll("a").forEach((item) => { if (item.href) { let href = item.href.split("#")[0]; if (swcfpc_can_url_be_prefetched(href) && swcfpc_prefetched_urls.includes(href) == false && comp.test(item.href) && swcfpc_element_is_in_viewport(item)) { swcfpc_prefetched_urls.push(href); //console.log( href ); let prefetch_element = document.createElement('link'); prefetch_element.rel = "prefetch"; prefetch_element.href = href; document.getElementsByTagName('body')[0].appendChild(prefetch_element); } } }) localStorage.setItem("swcfpc_prefetched_urls", JSON.stringify(swcfpc_prefetched_urls)); } window.addEventListener("load", function(event) { swcfpc_prefetch_urls(); }); window.addEventListener("scroll", function(event) { swcfpc_prefetch_urls(); }); </script> </body> </html><script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="a6faa8410238a5d8bfaafa6f-|49" defer></script>