First published: Tue Feb 03 2015(Updated: )
program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
barnraiser AROUNDMe | <=1.0.4 | |
SUSE Linux | =13.1 | |
SUSE Linux | =13.2 | |
Fedora | =21 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2015-1433 has a high severity rating due to its potential to allow remote attackers to conduct cross-site scripting attacks.
To fix CVE-2015-1433, you should upgrade your Roundcube installation to version 1.0.5 or later.
CVE-2015-1433 affects all versions of Roundcube prior to 1.0.5.
If you do not use Roundcube, you are not affected by CVE-2015-1433, as it is specific to that software.
CVE-2015-1433 can enable attackers to execute cross-site scripting (XSS) attacks through unquoted strings in email style attributes.