{"affected":[{"ecosystem_specific":{"binaries":[{"roundcubemail":"1.6.7-bp155.2.9.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP5","name":"roundcubemail","purl":"pkg:rpm/suse/roundcubemail&distro=SUSE%20Package%20Hub%2015%20SP5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.6.7-bp155.2.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"roundcubemail":"1.6.7-bp155.2.9.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.5","name":"roundcubemail","purl":"pkg:rpm/opensuse/roundcubemail&distro=openSUSE%20Leap%2015.5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.6.7-bp155.2.9.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for roundcubemail fixes the following issues:\n\nUpdate to 1.6.7\n\nThis is a security update to the stable version 1.6 of Roundcube Webmail.\nIt provides a fix to a recently reported XSS vulnerabilities:\n\n  * Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.\n    Reported by Valentin T. and Lutz Wolf of CrowdStrike.\n  * Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.\n    Reported by Huy Nguyễn Phạm Nhật.\n  * Fix command injection via crafted im_convert_path/im_identify_path on Windows.\n    Reported by Huy Nguyễn Phạm Nhật.\n\n  CHANGELOG\n\n  * Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)\n  * Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)\n  * Fix bug in collapsing/expanding folders with some special characters in names (#9324)\n  * Fix PHP8 warnings (#9363, #9365, #9429)\n  * Fix missing field labels in CSV import, for some locales (#9393)\n  * Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes\n  * Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences\n  * Fix command injection via crafted im_convert_path/im_identify_path on Windows\n\nUpdate to 1.6.6:\n\n  * Fix regression in handling LDAP search_fields configuration parameter (#9210)\n  * Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3\n  * Fix page jump menu flickering on click (#9196)\n  * Update to TinyMCE 5.10.9 security release (#9228)\n  * Fix PHP8 warnings (#9235, #9238, #9242, #9306)\n  * Fix saving other encryption settings besides enigma's (#9240)\n  * Fix unneeded php command use in installto.sh and deluser.sh scripts (#9237)\n  * Fix TinyMCE localization installation (#9266)\n  * Fix bug where trailing non-ascii characters in email addresses \n    could have been removed in recipient input (#9257)\n  * Fix IMAP GETMETADATA command with options - RFC5464\n\nUpdate to 1.6.5 (boo#1216895):\n\n  * Fix cross-site scripting (XSS) vulnerability in setting \n    Content-Type/Content-Disposition for attachment \n    preview/download  CVE-2023-47272\n\n  Other changes:\n\n  * Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)\n  * Fix duplicated Inbox folder on IMAP servers that do not use Inbox \n    folder with all capital letters (#9166)\n  * Fix PHP warnings (#9174)\n  * Fix UI issue when dealing with an invalid managesieve_default_headers \n    value (#9175)\n  * Fix bug where images attached to application/smil messages \n    weren't displayed (#8870)\n  * Fix PHP string replacement error in utils/error.php (#9185)\n  * Fix regression where smtp_user did not allow pre/post strings \n    before/after %u placeholder (#9162)\n","id":"openSUSE-SU-2024:0257-1","modified":"2024-08-21T11:35:59Z","published":"2024-08-21T11:35:59Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JQ3GTO6YI3BLAIR7PQZYZ5LRFR7OKTWN/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1216895"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-47272"}],"related":["CVE-2023-47272"],"summary":"Security update for roundcubemail","upstream":["CVE-2023-47272"]}