Greetings all ! I just installed this awesome webmail front-end on my personal mail server. Everything goes fine... but... when I did my usual vulnerability assessment, I discovered something I didn't expect.
Last stable version uses a Bootstrap Javacript librabry version 4.5.3 exposed to an XSS vuln, described in CVE 2024-6531. In particular about "carousel" component.
Then my two questions:
1) is "carousel" component used in the base code in actual 1.6.10 version or in any other plugins ?
2) has it been planned to use an updated Bootstrap library in a next minor or major release ?
Thanks anyone will answer.
Quote1) is "carousel" component used in the base code in actual 1.6.10 version or in any other plugins ?
It is not, Roundcube (excluding third party plugins/skins) is not affected by this see. Confirmation from devs here: https://github.com/roundcube/roundcubemail/issues/9633
Quote2) has it been planned to use an updated Bootstrap library in a next minor or major release ?
So far nothing like that has been suggested for any upcoming release by the devs.
Very well, thanks so much for explanation. I was looking exactly a confirm like that.