This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains a fix for recently reported security vulnerability as well a small number of general improvements from our issue tracker. See the full changelog below.
Security fix
Prevent cross-site scripting (XSS) via HTML messages with malicious svg/namespace (CVE-2020-15562)
Credits for this finding go to SSD Secure Disclosure.
This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!
CHANGELOG
- Fix bug where subfolders of special folders could have been duplicated on folder list
- Increase maximum size of contact jobtitle and department fields to 128 characters
- Fix missing newline after the logged line when writing to stdout (#7418)
- Elastic: Fix context menu (paste) on the recipient input (#7431)
- Fix problem with forwarding inline images attached to messages with no HTML part (#7414)
- Fix problem with handling attached images with same name when using database_attachments/redundant_attachments (#7455)
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace