Articles in this section

SpamAssassin rules can't be updated on CentOS 7 server with Plesk: config: SpamAssassin failed to parse line, is not valid for "util_rb_3tld"
Is Roundcube 1.4 secured against CVE-2026-25916 and CVE-2026-26079 in Plesk?
Integrating SmarterMail 100.0.9560 with Plesk fails: Login failure: Missing auth
Dovecot IMAP crashes on a Plesk server with Ubuntu 24.04: Panic: file imap-sieve-storage.c: line 216 (imap_sieve_add_mailbox_event): assertion failed
Unable to start Amavis: ERROR: MISSING REQUIRED ADDITIONAL MODULES: DBD::MariaDB
Unable to send or receive email with Plesk Email Security extension installed
It is not possible to receive messages coming from a specific domain to a specific mailbox on a Linux Plesk server. What can be checked?
How to configure Apache Solr search for Dovecot?
WordPress website using WP Mail SMTP: SASL authentication failure: no secret in database
Incoming email does not work: Fatal Plugin '$mail_plugins' not found from directory /usr/lib/dovecot/modules
See more

CVE-2024-42008, CVE-2024-42009, CVE-2024-42010 vulnerabilities in Roundcube

Batyr Tarpakov

Updated August 14, 2024 03:47

Plesk for Linux kb: technical

Impact

CVE-2024-42008, CVE-2024-42009, CVE-2024-42010 vulnerabilities were discovered in Roundcube.

Situation

Roundcube before 1.5.8/1.6.8 versions has these vulnerabilities:

XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
Information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

Call to action

The vulnerabilities are fixed in Plesk Obsidian 18.0.63 #1.

Update Plesk to the latest version.

Comments

0 comments

Please sign in to leave a comment.