Critical Vulnerability Information Vulnerability Type XSS (Cross-Site Scripting): Includes Stored XSS and Self-XSS. Affected Versions Roundcube Versions: Confirmed that Fedora and EPEL releases of rcmail in versions 0.7.x and 0.8.x are affected. Red Hat Enterprise Linux (RHEL): Needs confirmation whether affected. Specific Issues 1. Issue 1: XSS in Subject Line when Displaying New Larry Skin and Text Content - Description: The introduction of the new Larry skin triggered an XSS vulnerability when displayed in the subject line. - Upstream Patch: Relevant patch provided, but needs verification for applicability to Fedora and EPEL 0.7.x versions. - Reference Links: Trac Ticket Link, Upstream Patch Link. 2. Issue 2: Stored XSS in Email Body - Description: Stored XSS vulnerability found in the email body. - Upstream Patch: Upstream patch provided and requires review for applicability to Fedora and EPEL rcmail versions. - Reference Links: Trac Ticket Link, Upstream Patch Link. 3. Issue 3: Self-XSS in Email Body (Signature Section) - Description: Self-XSS vulnerability discovered in the signature section of the email body. - Upstream Patch: Upstream patch provided but requires further review. - Reference Links: Trac Ticket Link, Upstream Patch Link. CVE Information CVE-2012-3507: Assigned to Issue 1. CVE-2012-3508: Assigned to Issues 2 and 3, as they belong to the same type of vulnerability. Confirmation Required Further review needed to confirm whether Fedora/EPEL rcmail versions are affected.