oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-68460/CVE-2025-68461: Roundcube XSS + I-D prior to 1.5.12/1.6.12

From: Valtteri Vuorikoski <vuori () notcom org>
Date: Sat, 27 Dec 2025 15:49:59 +0200
Roundcube, a PHP-based webmail frontend, released a series of security updates
on Dec 12. From the release announcement:

 * Fix Cross-Site-Scripting vulnerability via SVG’s animate tag reported by
   Valentin T., CrowdStrike.
 
 * Fix Information Disclosure vulnerability in the HTML style sanitizer reported
   by somerandomdev.

There are fixed in the newly-released versions 1.5.12 and 1.6.12. While not
mentioned in the official annoucement, these appear to be CVE-2025-68461 (7.2)
and CVE-2025-68460 (7.2) respectively.

Additionally a new 1.7 series (currently in beta) prerelease 1.7rc2 was
announced fixing the same issues.

Full announcements:
https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12
https://roundcube.net/news/2025/12/15/roundcube-1.7-rc2-released

 -Valtteri
Previous By Date Next
Previous By Thread Next

Current thread: