An issue was discovered in Roundcube Webmail before 1.3.12. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
