Skip to content

Roundcube Webmail 1.5.7

Compare
Choose a tag to compare
@alecpl alecpl released this 19 May 10:19
· 972 commits to master since this release
1.5.7

This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerabilities:

  • Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
    Reported by Valentin T. and Lutz Wolf of CrowdStrike.
  • Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
    Reported by Huy Nguyễn Phạm Nhật.
  • Fix command injection via crafted im_convert_path/im_identify_path on Windows.
    Reported by Huy Nguyễn Phạm Nhật.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!

CHANGELOG

  • Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3
  • Fix TinyMCE localization installation (#9266)
  • Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
  • Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
  • Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
  • Fix command injection via crafted im_convert_path/im_identify_path on Windows