Multiple vulnerabilities has been found and corrected in roundcubemail: Cross-site scripting vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the signature in an email . A local file inclusion flaw was found in the way RoundCube Webmail, a browser-based multilingual IMAP client, performed validation of the 'generic_message_footer' value provided via web user interface in certain circumstances. A remote attacker could issue a specially-crafted request that, when processed by RoundCube Webmail could allow an attacker to obtain arbitrary file on the system, accessible with the privileges of the user running RoundCube Webmail client . The updated packages have been patched and upgraded to the 0.7.4 version which is not affected by these issues.