roundcube 0.9.3 two XSS flaws

2013-08-25 / 2013-10-21

Credit: Vincent Danen

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2013-5645 | CVE-2013-5646

CWE: CWE-79

Two XSS flaws were fixed in roundcube 0.9.3 [1]:
* Fix XSS vulnerability when saving HTML signatures [2],[3]
* Fix XSS vulnerability when editing a message "as new" or draft [2],[4]
[1] http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3
[2] http://trac.roundcube.net/ticket/1489251
[3] http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github
[4] http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github
Other references:
http://bugs.gentoo.org/show_bug.cgi?id=482206
https://bugzilla.redhat.com/show_bug.cgi?id=1000510
Thanks.

References:

http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3

http://trac.roundcube.net/ticket/1489251

http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github

http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github

http://bugs.gentoo.org/show_bug.cgi?id=482206

https://bugzilla.redhat.com/show_bug.cgi?id=1000510

http://seclists.org/oss-sec/2013/q3/483

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

roundcube 0.9.3 two XSS flaws

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.