Security issue: An attacker could use text email messages to make Internet Explorer users run scripts in the context of the webmail system
|Reported by:||enriquerando||Owned by:|
Under certain circunstances, RoundCube doesn’t html encode output when showing text files. If the user uses a browser that processes files based on its contents, it could be leveraged by the attacker to inject scripts.
Please see the attached file for some examples and explanations.
Don't hesitate to contact me for more info.