Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "1.2~beta+dfsg.1-0ubuntu1", "binary_name": "roundcube" }, { "binary_version": "1.2~beta+dfsg.1-0ubuntu1", "binary_name": "roundcube-core" }, { "binary_version": "1.2~beta+dfsg.1-0ubuntu1", "binary_name": "roundcube-mysql" }, { "binary_version": "1.2~beta+dfsg.1-0ubuntu1", "binary_name": "roundcube-pgsql" }, { "binary_version": "1.2~beta+dfsg.1-0ubuntu1", "binary_name": "roundcube-plugins" }, { "binary_version": "1.2~beta+dfsg.1-0ubuntu1", "binary_name": "roundcube-sqlite3" } ] }