Home / mailings [USN-8132-1] Roundcube Webmail vulnerabilities
Posted on 30 March 2026
Ubuntu Security==========================================================================Ubuntu Security Notice USN-8132-1
March 30, 2026
roundcube vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Roundcube Webmail.
Software Description:
- roundcube: skinnable AJAX based webmail solution for IMAP servers - metapack
Details:
It was discovered that Roundcube Webmail did not properly sanitize
certain HTML elements within the e-mail body. An attacker could possibly
use this issue to cause a cross-site scripting attack. This issue was only
addressed in Ubuntu 16.04 LTS. (CVE-2016-4068, CVE-2016-4069)
It was discovered that Roundcube Webmail did not properly handle certain
configuration parameters. An attacker could possibly use this issue to
execute arbitrary code. This issue was only addressed in Ubuntu 16.04 LTS.
(CVE-2016-9920)
It was discovered that Roundcube Webmail did not properly sanitize CSS styles
within SVG documents. An attacker could possibly use this issue to cause
a cross-site scripting attack. This issue was only addressed in Ubuntu 16.04 LTS.
(CVE-2017-6820)
It was discovered that Roundcube Webmail did not properly restrict exec call in
certain drivers of the password plugin. An authenticated user could possibly
use this issue to perform arbitrary password resets. This issue was only addressed in
Ubuntu 16.04 LTS. (CVE-2017-8114)
It was discovered that Roundcube Webmail did not properly set file permissions within
the Enigma plugin. An attacker could possibly use this issue to exfiltrate GPG private
keys via network connectivity. (CVE-2018-1000071)
It was discovered that Roundcube Webmail did not properly handle GnuPG MDC
integrity-protection warnings. An attacker could possibly use this issue to obtain
sensitive information from encrypted communications. (CVE-2018-19205)
It was discovered that Roundcube Webmail did not properly sanitize <svg> and <style>
tags within HTML attachments. An attacker could possibly use this issue to cause a
cross-site scripting attack. (CVE-2018-19206)
It was discovered that Roundcube Webmail did not properly handle partially encrypted
multipart messages. An attacker could possibly use this issue to cause
leaking of the plaintext of encrypted messages via an email reply. (CVE-2019-10740)
It was discovered that Roundcube Webmail did not properly sanitize a certain parameter
within the archive plugin. An attacker could possibly use this issue to perform an
IMAP injection attack. This issue was only addressed in Ubuntu 16.04 LTS. (CVE-2018-9846)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
roundcube-core 1.3.6+dfsg.1-1ubuntu0.1~esm7
Available with Ubuntu Pro
roundcube-plugins 1.3.6+dfsg.1-1ubuntu0.1~esm7
Available with Ubuntu Pro
Ubuntu 16.04 LTS
roundcube-core 1.2~beta+dfsg.1-0ubuntu1+esm7
Available with Ubuntu Pro
roundcube-plugins 1.2~beta+dfsg.1-0ubuntu1+esm7
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8132-1
CVE-2016-4068, CVE-2016-4069, CVE-2016-9920, CVE-2017-6820,
CVE-2017-8114, CVE-2018-1000071, CVE-2018-19205, CVE-2018-19206,
CVE-2018-9846, CVE-2019-10740
--===============8839755087469067911==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
