CVE-2021-44025 — roundcube - security update

Description

Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.

How to fix CVE-2021-44025

To remediate CVE-2021-44025, upgrade the affected package to a fixed version below.

Bitnami/roundcube—upgrade to 1.3.17 or later
Debian/roundcube—upgrade to 1.4.12+dfsg.1-1~deb11u1 or later
—upgrade to 1.2.3+dfsg.1-4+deb9u9 or later
—upgrade to 1.3.17+dfsg.1-1~deb10u1 or later

Is CVE-2021-44025 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 1.3.17, >= 1.4.0, < 1.4.12
from 0, < 1.4.12+dfsg.1-1~deb11u1
from 0, < 1.2.3+dfsg.1-4+deb9u9
from 0, < 1.3.17+dfsg.1-1~deb10u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (9)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-44025
WEBbugs.debian.org/1000156
WEBgithub.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7
WEBgithub.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a