Candidate: CVE-2021-44025
PublicDate: 2021-11-19 04:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44025
 https://bugs.debian.org/1000156
 https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7
 https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a
Description:
 Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling
 an attachment's filename extension when displaying a MIME type warning
 message.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000156
 https://github.com/roundcube/roundcubemail/issues/8193
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]


Patches_roundcube:
 upstream: https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a (1.4.12)
 upstream: https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7 (1.3.17)
upstream_roundcube: released (1.3.17, 1.4.12, 1.5.0)
trusty_roundcube: ignored (out of standard support)
trusty/esm_roundcube: DNE (trusty was needed)
xenial_roundcube: ignored (out of standard support, was needed)
bionic_roundcube: needed
focal_roundcube: needed
hirsute_roundcube: ignored (reached end-of-life)
impish_roundcube: needed
jammy_roundcube: not-affected (1.5.0+dfsg.1-2)
devel_roundcube: not-affected (1.5.0+dfsg.1-2)