Bugzilla – Bug 1029035
VUL-0: CVE-2017-6820: roundcubemail: XSS issue in handling of a style tag inside of an svg element
Last modified: 2019-11-06 15:47:07 UTC
I have requested a CVE for the following Roundcube issue, wich got
rcube_utils.php in Roundcube before 1.1.8 and before 1.2.4 is
susceptible to a cross-site scripting vulnerability via a crafted
Cascading Style Sheets (CSS) token sequence within an SVG element..
Upstream fix (sequence of two commits):
[*] ideally that would be done by the upstream project on it's own
before publishing an issue in case it was privately reported, since
it was not immediately clear to me if one was already requested or
some other vendors/distributors have done it.
accepted into maintenance
release for leap
openSUSE-SU-2017:0742-1: An update that fixes one vulnerability is now available.
Category: security (moderate)
Bug References: 1029035
CVE References: CVE-2017-6820
openSUSE Leap 42.2 (src): roundcubemail-1.1.8-18.1
openSUSE Leap 42.1 (src): roundcubemail-1.1.8-18.1