ALT Linux Team

Package roundcube update in sisyphus on 2024-12-07

ALT-PU-2024-16644-2

Package roundcube updated to version 1.6.9-alt1 for branch sisyphus in task 364335.

Closed vulnerabilities

Published: 2024-08-05

BDU:2024-06146

Уязвимость функции message_body() файла program/actions/mail/show.php почтового клиента RoundCube Webmail, позволяющая нарушителю получить полный доступ к электронной почте путём отправки специально сформированного сообщения

Severity: CRITICAL (9.3) Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
References:
Published: 2024-06-18

BDU:2024-06254

Уязвимость функции rcmail_action_mail_get->run() почтового клиента RoundCube Webmail, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

Severity: MEDIUM (6.1) Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2024-08-05

BDU:2024-06665

Уязвимость функции mod_css_styles компонента Cascading Style Sheet Handler почтового клиента RoundCube, позволяющая нарушителю раскрыть конфиденциальную информацию

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2024-08-05
Modified: 2025-03-13

CVE-2024-42008

A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.

Severity: CRITICAL (9.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
References:
Published: 2024-08-05
Modified: 2025-03-13

CVE-2024-42009

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.

Severity: CRITICAL (9.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
References:
Published: 2024-08-05
Modified: 2024-08-12

CVE-2024-42010

mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information.

References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top