roundcubemail-1.6.8-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:14243-1 Final 1 1 2024-08-07T00:00:00Z current 2024-08-07T00:00:00Z 2024-08-07T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z roundcubemail-1.6.8-1.1 on GA media These are all security issues fixed in the roundcubemail-1.6.8-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-14243 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-42008/ SUSE CVE CVE-2024-42008 page https://www.suse.com/security/cve/CVE-2024-42009/ SUSE CVE CVE-2024-42009 page https://www.suse.com/security/cve/CVE-2024-42010/ SUSE CVE CVE-2024-42010 page openSUSE Tumbleweed roundcubemail-1.6.8-1.1 roundcubemail-1.6.8-1.1 as a component of openSUSE Tumbleweed A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. CVE-2024-42008 openSUSE Tumbleweed:roundcubemail-1.6.8-1.1 not set To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-42008.html CVE-2024-42008 A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. CVE-2024-42009 openSUSE Tumbleweed:roundcubemail-1.6.8-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-42009.html CVE-2024-42009 https://bugzilla.suse.com/1228900 SUSE Bug 1228900 mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information. CVE-2024-42010 openSUSE Tumbleweed:roundcubemail-1.6.8-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-42010.html CVE-2024-42010 https://bugzilla.suse.com/1228901 SUSE Bug 1228901