FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

roundcube -- cross-site scripting in HTML email messages

Affected packages
0.8.0,1 <= roundcube < 0.8.1,1

Details

VuXML ID c906e0a4-efa6-11e1-8fbf-001b77d09812
Discovery 2012-08-14
Entry 2012-08-27

RoundCube branch 0.8.x prior to the version 0.8.1 is prone to the cross-scripting attack (XSS) originating from incoming HTML e-mails: due to the lack of proper sanitization of JavaScript code inside the "href" attribute, sender could launch XSS attack when recipient opens the message in RoundCube interface.

References

CVE Name CVE-2012-3508
URL http://trac.roundcube.net/ticket/1488613
URL http://trac.roundcube.net/wiki/Changelog