An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.
| Vendor | Product | Versions |
|---|---|---|
| roundcube | webmail | composer/roundcube/roundcubemail: >= 1.7-beta, < 1.7-rc5 |
Updated affected versions to include 1.5.13 and 1.6.13, changed severity to HIGH, and noted that no exploit is available.
Initial creation
