Fedora 20 : roundcubemail-0.9.4-1.fc20 (2013-16162)

This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.


Synopsis :

The remote Fedora host is missing a security update.

Description :

0.9.4, latest upstream. Require webserver rather than httpd. Two XSS
flaws were fixed in roundcube 0.9.3 [1] :

- Fix XSS vulnerability when saving HTML signatures
[2],[3]

- Fix XSS vulnerability when editing a message 'as new'
or draft [2],[4]

[1] http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3 [2]
http://trac.roundcube.net/ticket/1489251 [3]
http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41a
e8761b/github [4]
http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc34
4b8d16/github

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

http://www.nessus.org/u?76c8cd72
http://www.nessus.org/u?f6233b6f
http://trac.roundcube.net/ticket/1489251
http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3
https://bugzilla.redhat.com/show_bug.cgi?id=1000511
https://bugzilla.redhat.com/show_bug.cgi?id=1000512
https://bugzilla.redhat.com/show_bug.cgi?id=1005696
http://www.nessus.org/u?2eb000d1

Solution :

Update the affected roundcubemail package.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Fedora Local Security Checks

Nessus Plugin ID: 70051 ()

Bugtraq ID: 61976

CVE ID: