This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It provides a fix for a recently reported stored XSS vulnerability as well a some general improvements from our issue tracker. See the full changelog below.
Security fix
- Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
Credits for this finding go to Mateusz Szymaniec (CERT Polska).
This version is considered stable and we recommend to update all productive installations of Roundcube with it.
Please do backup your data before updating!
CHANGELOG
- Display a nice error informing about no PHP8 support
- Elastic: Fix compatibility with Less v3 and v4 (#7813)
- Fix bug with managesieve_domains in Settings > Forwarding form (#7849)
- Fix errors in MSSQL database update scripts (#7853)
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content