Roundcube 1.6.10 and Bootstrap

in3eqa · May 16, 2025, 06:18:25 AM

Greetings all ! I just installed this awesome webmail front-end on my personal mail server. Everything goes fine... but... when I did my usual vulnerability assessment, I discovered something I didn't expect.

Last stable version uses a Bootstrap Javacript librabry version 4.5.3 exposed to an XSS vuln, described in CVE 2024-6531. In particular about "carousel" component.
Then my two questions:
1) is "carousel" component used in the base code in actual 1.6.10 version or in any other plugins ?
2) has it been planned to use an updated Bootstrap library in a next minor or major release ?

Thanks anyone will answer.

JohnDoh · May 16, 2025, 08:10:09 AM

Quote1) is "carousel" component used in the base code in actual 1.6.10 version or in any other plugins ?

It is not, Roundcube (excluding third party plugins/skins) is not affected by this see. Confirmation from devs here: https://github.com/roundcube/roundcubemail/issues/9633

Quote2) has it been planned to use an updated Bootstrap library in a next minor or major release ?

So far nothing like that has been suggested for any upcoming release by the devs.

in3eqa · May 18, 2025, 03:26:13 PM

Very well, thanks so much for explanation. I was looking exactly a confirm like that.

Roundcube 1.6.10 and Bootstrap

in3eqa

JohnDoh

in3eqa