CVE-2021-46144: 
NixOS vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in Roundcube webmail versions before 1.4.13 and 1.5.x before 1.5.2. The vulnerability (CVE-2021-46144) was disclosed on December 30, 2021, and allows attackers to perform XSS attacks via HTML email messages containing maliciously crafted Cascading Style Sheets (CSS) token sequences (Roundcube News, NVD).

The vulnerability stems from improper sanitization of HTML messages containing CSS content. The issue specifically relates to how Roundcube handles CSS token sequences in HTML email messages. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it requires user interaction but can be exploited remotely without authentication (NVD).

If exploited, this vulnerability could allow attackers to perform cross-site scripting attacks through maliciously crafted HTML email messages. The impact includes potential disclosure of sensitive information and compromise of user interactions with the webmail interface (Debian Security).

The vulnerability has been fixed in Roundcube versions 1.4.13 and 1.5.2. The fix involves proper sanitization of CSS content in HTML messages. Users are strongly recommended to upgrade to these or later versions. For Debian systems, fixes were released for multiple distributions: version 1.3.17+dfsg.1-1~deb10u2 for Debian 10 (buster) and version 1.4.13+dfsg.1-1~deb11u1 for Debian 11 (bullseye) (Debian Security, Roundcube News).