This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains a fix for a recently reported stored XSS vulnerability as well a small number
of general improvements from our issue tracker. See the full changelog below.
Security fix
- Stored cross-site scripting (XSS) via HTML or plain text messages with malicious content [
CVE-2020-35730]
Credits for this finding go to Alex Birnberg.
This version is considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!
CHANGELOG
- Fix extra angle brackets in In-Reply-To header derived from mailto: params (#7655)
- Fix folder list issue when special folder is a subfolder (#7647)
- Fix Elastic's folder subscription toggle in search result (#7653)
- Fix state of subscription toggle on folders list after changing folder state from the search result (#7653)
- Security: Fix cross-site scripting (XSS) via HTML or plain text messages with malicious content