Roundcube Webmail SVG feImage remote image bypass vulnerability patched in 1.5.13/1.6.13
Summary
Roundcube Webmail has a vulnerability where the SVG feImage element's href is not treated as an image source by the sanitizer, bypassing remote image blocking and allowing email opens to be tracked. The flaw affects versions earlier than 1.5.13 and 1.6.x before 1.6.13 and was fixed in 1.5.13 and 1.6.13. The post outlines background, discovery, technical details, a proof-of-concept, impact, and remediation with a code fix that broadens the image attribute checks to include feImage.