Alex Birnberg discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, is prone to a cross-site scripting vulnerability in handling HTML or Plain text messages with malicious content.