Advisories » MGASA-2020-0206

Updated roundcubemail packages fix security vulnerabilities

Publication date: 08 May 2020
Modification date: 08 May 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-12625 , CVE-2020-12626

Description

Updated roundcubemail packages fix security vulnerabilities:

- Cross-Site Scripting (XSS) via malicious HTML content
  (CVE-2020-12625)
- CSRF attack can cause an authenticated user to be logged out
  (CEV-2020-12626)
- Remote code execution via crafted config options
- Path traversal vulnerability allowing local file inclusion via
  crafted 'plugins' option
                

References

• https://bugs.mageia.org/show_bug.cgi?id=26586
• https://github.com/roundcube/roundcubemail/releases/tag/1.3.11
• https://www.debian.org/security/2020/dsa-4674
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12625
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12626

SRPMS

7/core

• roundcubemail-1.3.11-1.mga7