If you self-host email there is a pretty good chance you are using Roundcube as a webmail client if you have a webmail client.
Archive: https://archive.today/AlBie
From the post:
>TL;DR: Roundcube’s rcube_washtml sanitizer blocked external resources on <img>, <image>, and <use>, but not on <feImage>. Its href went through the wrong code path and got allowed through. Attackers could track email opens even when “Block remote images” was on. Fixed in 1.5.13 and 1.6.13.
If you self-host email there is a pretty good chance you are using Roundcube as a webmail client if you have a webmail client.
Archive: https://archive.today/AlBie
From the post:
>>TL;DR: Roundcube’s rcube_washtml sanitizer blocked external resources on <img>, <image>, and <use>, but not on <feImage>. Its href went through the wrong code path and got allowed through. Attackers could track email opens even when “Block remote images” was on. Fixed in 1.5.13 and 1.6.13.
Login or register