MGASA-2024-0193

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2024-0193.html

Import Source

https://advisories.mageia.org/MGASA-2024-0193.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2024-0193

Published

2024-05-25T23:39:14Z

Modified

2026-04-16T04:21:57.891024Z

Summary

Updated roundcubemail packages fix security vulnerabilities

Details

This is a security update to the stable version 1.6 of Roundcube Webmail. Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes. Reported by Valentin T. and Lutz Wolf of CrowdStrike. Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences. Reported by Huy Nguyễn Phạm Nhật. Fix command injection via crafted imconvertpath/imidentifypath on Windows. Reported by Huy Nguyễn Phạm Nhật. This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:9 / roundcubemail

Package

Name: roundcubemail
Purl: pkg:rpm/mageia/roundcubemail?arch=source&distro=mageia-9

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.7-1.mga9

Ecosystem specific

{
    "section": "core"
}

Database specific

source

"https://advisories.mageia.org/MGASA-2024-0193.json"