Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML
messages during message display via a crafted SVG document. This issue has
been fixed in 1.4.8 and 1.3.15.
github.com/roundcube/roundcubemail/commit/589d36010048300ed39f4887aab1afd3ae98d00e (1.2.12)
github.com/roundcube/roundcubemail/commit/a71bf2e8d4a64ff2c83fdabc1e8cb0c045a41ef4
github.com/roundcube/roundcubemail/commit/a71bf2e8d4a64ff2c83fdabc1e8cb0c045a41ef4 (1.4.8)
github.com/roundcube/roundcubemail/commit/d44ca2308a96576b88d6bf27528964d4fe1a6b8b (1.3.15)
github.com/roundcube/roundcubemail/releases/tag/1.4.8
launchpad.net/bugs/cve/CVE-2020-16145
nvd.nist.gov/vuln/detail/CVE-2020-16145
security-tracker.debian.org/tracker/CVE-2020-16145
ubuntu.com/security/notices/USN-5182-1
www.cve.org/CVERecord?id=CVE-2020-16145