Roundcube XSS vulnerability opens the door to email account takeover
The Daily Swig
Roundcube is urging users to update their installations to resolve a security vulnerability that can be exploited to conduct stored, or persistent, cross-site scripting (XSS) attacks.
On July 21, an advisory was published concerning CVE-2020-15562, a vulnerability present in the Roundcube stable version 1.4 and LTS versions 1.3 and 1.2.
Written in PHP, Roundcube is an open source webmail project which offers a browser-based skinnable IMAP client in multiple languages. Features include MIME support, an address book, folders, and message search functionality.
Roundcube currently uses the jQuery 3.x client.