We've just released version 2.4 of the Roundcube Plus Calendar plugin, and it's the most significant update the calendar has had to date. This release rebuilds the plugin's front end on a modern framework, brings it up to date with the latest underlying libraries, and closes a large number of security issues uncovered during a thorough audit. If you're running an earlier version, we urge you to upgrade to this latest version as soon as possible to make sure your calendar system is secure.
Here's what's included:
Security Audit and Fixes
The calendar underwent an extensive security review, and version 2.4 resolves every issue that was found. The fixes span a wide range of vulnerability types, and together they represent the single best reason to upgrade. The highlights include:
Several SSRF (server-side request forgery) issues were closed, including ones involving adding CalDAV calendars and saving CalDAV events. The release also adds a new configuration option that lets administrators block outbound CalDAV connections to private or internal addresses.
Multiple cross-site scripting (XSS) vulnerabilities were resolved. These covered event descriptions pulled from remote calendars, the construction of iTIP invitation messages, and popup alarms.
A number of event and calendar hijacking issues were fixed, covering the saving of events and calendars and the adding of external CalDAV and Google calendars.
Several potential path traversal vulnerabilities were closed, including ones in event attachment handling, the holiday calendar listing, and timezone lookups.
Additional fixes address an IDOR (insecure direct object reference) issue when downloading events, unauthorized event access in the CalDAV server, and HTML injection in both iMIP and shared-calendar emails. The release also strengthens token generation for calendar publishing, hardens CalDAV server authentication, and reworks zip calendar import to be both safer and faster.
A Modernized Front End
The calendar's interface was previously built on AngularJS, which has been discontinued and no longer receives security updates. In version 2.4, the entire front end has been migrated to Alpine.js, a modern, actively maintained JavaScript framework. With this change, Calendar joins the rest of the Roundcube Plus lineup in leaving AngularJS behind, resulting in a more secure and more maintainable code base.
Updated Libraries
Alongside the framework migration, the calendar's underlying components were brought up to date. Most notably, FullCalendar, the core engine behind the calendar grid, was upgraded from 5.11.3 to 6.1.20. This keeps the plugin current and reduces reliance on older releases.
Functionality Fixes and Improvements
This release also corrects a long list of functional bugs and rough edges. Among the most noticeable:
Birthday calendars received several fixes, resolving cases where birthdays didn't appear on Roundcube 1.7, in views spanning more than two years, or on the correct day around leap years and date boundaries.
Event handling was improved across the board, including fixes to dragging and resizing events that use different start and end timezones, all-day event moves, the initial time when creating events in month view, and error handling during drag-and-drop.
Invitation handling (iTIP) was made more reliable, with better detection of when an organizer has updated an event and clearer indicators when an invitation changes between all-day and timed.
CalDAV behavior was tightened up, including fixes to deleted events still being served, timezone handling when querying and saving events, and calendar discovery.
A range of smaller fixes round things out, from search page date ranges and zip import compatibility to Today's Agenda counts, dark-mode popup colors, and various interface refinements across both modern and legacy Larry-based skins.
Seamless Upgrade
This release makes no database changes, so updating from the previous version is straightforward. Your existing calendars, events, and settings carry over without any additional migration steps.
If your calendar configuration allows connections to external CalDAV servers, you might want to explore the new config option xcalendar_caldav_block_private_hosts. It can add an additional layer of protection against CalDAV addresses being used to probe internal services on your network.
Available Now
Version 2.4 is available for download in the customer area of our website, and the complete list of changes is in the change log on the plugin's page.
Given the scope of the security work in this release, along with the move to a modern front end and an updated calendar UI components, we strongly recommend upgrading as soon as you're able.
