SVGs are such an amazing attack vector. Nearly every webapp I've seen that allows image or SVG uploads is vulnerable to XSS. If the Roundcube implementation allows for remote image fetching, it's probably worth checking it for XSS vulnerabilities.
Also: what's the legal status of this kind of tracking? How does it jibe with the GDPR?
No comments yet.