Detections
Analytics

Debian dla-4517 : roundcube - security update

high Nessus Plugin ID 304327

Synopsis

The remote Debian host is missing a security-related update.

Description

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4517 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-4517-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin March 30, 2026 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : roundcube Version : 1.4.15+dfsg.1-1+deb11u8 CVE ID : not yet available Debian Bug : 1131182 1132268

 Multiple vulnerabilities were discovered in Roundcube, a skinnable AJAX based webmail solution for IMAP servers, which might lead to information disclosure or privilege escalation.

 * Georgios Tsimpidas discovered an Server-side request forgery (SSRF) vulnerability via stylesheet links to a local network hosts.
 * An IMAP injection and CSRF bypass vulnerability was found within the email search logic.
 * It was discovered that one could change password without providing the old one in some situations.
 * NULL CATHEDRAL discovered that the HTML sanitizer doesn't sanitize image sources in SVG `<animate>` attributes. This allows attackers to bypass remote image blocking to track email open action or potentially bypass access control.
 * NULL CATHEDRAL discovered that the HTML sanitizer doesn't sanitize `<body background=>` attributes. This allows attackers to bypass remote image blocking to track email open action or potentially bypass access control.
 * NULL CATHEDRAL discovered that the CSS sanitizer doesn't convert `position: fixed` `position: absolute` when `!important` is used.
 This allows an attacker to mask the Roundcube UI with a fake session expired page and trick the user into an attacker-controlled login page.
 * It was discovered that the HTML sanitizer doesn't sanitize image sources in SVG `<animate>` attributes via fill/filter/stroke. This allows attackers to bypass remote image blocking to track email open action or potentially bypass access control.
 * A Cross-site scripting (XSS) vulnerability was found in the HTML attachment preview.

 CVE IDs have been requested but have not been assigned yet.

 For Debian 11 bullseye, this problem has been fixed in version 1.4.15+dfsg.1-1+deb11u8.

 We recommend that you upgrade your roundcube packages.

 For the detailed security status of roundcube please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/roundcube

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade the roundcube packages.

See Also

https://security-tracker.debian.org/tracker/source-package/roundcube

https://packages.debian.org/source/bullseye/roundcube

Plugin Details

Severity: High

ID: 304327

File Name: debian_DLA-4517.nasl

Version: 1.1

Type: local

Agent: unix

Published: 3/30/2026

Updated: 3/30/2026

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:roundcube-core, cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:roundcube, p-cpe:/a:debian:debian_linux:roundcube-mysql, p-cpe:/a:debian:debian_linux:roundcube-plugins, p-cpe:/a:debian:debian_linux:roundcube-pgsql, p-cpe:/a:debian:debian_linux:roundcube-sqlite3

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 3/30/2026

Vulnerability Publication Date: 3/30/2026