A Cross-Site scripting (XSS) vulnerability exists in Roundcube versions before 1.4.5 and 1.3.12.
By leveraging the parsing of "text/xml" attachment, an attacker can bypass the Roundcube script filter and execute arbitrary malicious JavaScript in the victim's browser when the malicious attachment is clicked/previewed.
The vendor's disclosure and fix for this vulnerability can be found here.
This vulnerability requires:
- Waiting for a Roundcube user to open the attachment containg the XSS
More details and the exploitation process can be found in this PDF.