Control: retitle -1 roundcube: XSS (CVE-2025-68461) and information disclosure (CVE-2025-68460)
Hi Guilhem, On Sun, Dec 14, 2025 at 02:32:27PM +0100, Salvatore Bonaccorso wrote: > Hi Guilhem, > > On Sun, Dec 14, 2025 at 11:19:35AM +0100, Guilhem Moulin wrote: > > Source: roundcube > > Version: 1.6.11+dfsg-1 > > Severity: important > > Control: found -1 1.6.5+dfsg-1+deb12u5 > > Control: found -1 1.4.15+dfsg.1-1+deb11u5 > > Tags: security upstream > > X-Debbugs-Cc: Debian Security Team <[email protected]> > > > > Roundcube webmail upstream has recently released 1.6.12 [0] which fixes > > the following vulnerabilities: > > > > * Cross-Site-Scripting vulnerability via SVG's animate tag (reported by > > Valentin T., CrowdStrike). > > > > https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb > > > > * Information Disclosure vulnerability in the HTML style sanitizer > > (reported by somerandomdev). > > > > https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571 > > > > AFAICT no CVE-ID have been published for these issues. Will request > > them shortly if no one beats me to it. > > Not sure if you requested them already, but I have done so now via > MITRE CNA. Two CVEs has been assigned, they are: CVE-2025-68460: https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571 CVE-2025-68461: https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb Regards, Salvatore
