This is a security update to the stable version 1.1. It fixes a recently reported vulnerability allowing IMAP command injection via a GET parameters. More details about this are published under CVE-2018-9846.
The second fix is about a missed remote content blocking on HTML messages with specially crafted image and style tags.
We strongly recommend to update all productive installations of Roundcube 1.1.x. Please do backup your data before updating!
Please login to add feedback.
|submitted||a year ago|
|in testing||a year ago|
|0||0||#1566744 CVE-2018-9846 roundcubemail: MX injection in archive.php [epel-all]|