HEX
Server: LiteSpeed
System: Linux 112.webhostingindonesia.co.id 5.14.0-570.62.1.el9_6.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Nov 11 10:10:59 EST 2025 x86_64
User: iyfwylsv (10313)
PHP: 8.2.30
Disabled: NONE
$ pwd: /proc/self/root/var/softaculous/roundcube/
Upload Files
File: //proc/self/root/var/softaculous/roundcube/changelog.txt
## Release 1.6.15

- Fix regression where mail search would fail on non-ascii search criteria (#10121)
- Fix regression where some data url images could get ignored/lost (#10128)
- Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

## Release 1.6.14

- Fix Postgres connection using IPv6 address (#10104)
- Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
- Security: Fix bug where a password could get changed without providing the old password
- Security: Fix IMAP Injection + CSRF bypass in mail search
- Security: Fix remote image blocking bypass via various SVG animate attributes
- Security: Fix remote image blocking bypass via a crafted body background attribute
- Security: Fix fixed position mitigation bypass via use of !important
- Security: Fix XSS issue in a HTML attachment preview
- Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

## Release 1.6.13

- Managesieve: Fix handling of string-list format values for date tests in Out of Office (#10075)
- Fix remote image blocking bypass via SVG content reported by nullcathedral
- Fix CSS injection vulnerability reported by CERT Polska

## Release 1.6.12

- Support IPv6 in database DSN (#9937)
- Don't force specific error_reporting setting
- Fix compatibility with PHP 8.5 regarding array_first()
- Remove X-XSS-Protection example from .htaccess file (#9875)
- Fix "Assign to group" action state after creation of a first group (#9889)
- Fix bug where contacts search would fail if `contactlist_fields` contained vcard fields (#9850)
- Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
- Fix parsing of inline styles that aren't well-formatted (#9948)
- Fix Cross-Site-Scripting vulnerability via SVG's animate tag
- Fix Information Disclosure vulnerability in the HTML style sanitizer

## Release 1.6.11

- Managesieve: Fix match-type selector (remove unsupported options) in delete header action (#9610)
- Improve installer to fix confusion about disabling SMTP authentication (#9801)
- Fix PHP warning in index.php (#9813)
- OAuth: Fix/improve token refresh
- Fix dark mode bug where wrong colors were used for blockquotes in HTML mail preview (#9820)
- Fix HTML message preview if it contains floating tables (#9804)
- Fix removing/expiring redis/memcache records when using a key prefix
- Fix bug where a wrong SPECIAL-USE folder could have been detected, if there were more than one per-type (#9781)
- Fix a default value and documentation of password_ldap_encodage option (#9658)
- Remove mobile/floating Create button from the list in Settings > Folders (#9661)
- Fix Delete and Empty buttons state while creating a folder (#9047)
- Fix connecting to LDAP using ldapi:// URI (#8990)
- Fix cursor position on "below the quote" reply in HTML mode (#8700)
- Fix bug where attachments with content type of `application/vnd.ms-tnef` were not parsed (#7119)
- Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v
@ Telegram