An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.
| Vendor | Product | Versions |
|---|---|---|
| roundcube | roundcube webmail | composer/roundcube/roundcubemail: >= 1.7-beta, < 1.7-rc5, < 1.5.15, < 1.6.15, < 1.7-rc6 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| open source | roundcube | cert_advisory | 90% |
Updated affected versions to include 1.5.13 and 1.6.13, changed severity to HIGH, and noted that no exploit exists.
Initial creation
