Roundcube has released a security update in versions 1.6.5 and 1.5.6 to address a critical Cross-Site Scripting (XSS) vulnerability associated with file sharing.

For context, the vulnerability is related to how Roundcube was defining the HTTP headers “Content-Type” and “Content-Disposition” when users requested to preview or download attachments.

For example, if you upload images in Roundcube and share with users, they can preview or download them. The weakness that existed was that the images (for example) were not properly being sanitized or validated. This allowed an attacker to upload image files embedded with a malicious JavaScript code.  When legitimate users attempted to view or download such images, the concealed malicious code would execute within the user’s browser, potentially compromising their web apps.

The security update fixes the vulnerability in versions 1.6.5 and 1.5.6. All web hosting service providers are encouraged to update Roundcube to protect their clients.

Find the release on GitHub.