In a recent post roundcube webmail upstream has announced the following
security fix for #1003027.
CVE-2021-46144: Cross-site scripting (XSS) vulnerability via HTML
messages with malicious CSS content.
(Upstream only released fixes for 1.4 and 1.5 LTS branches, but 1.2 and
1.3 are affected too and the same fix applies cleanly. buster- and
bullseye-security are no longer affected.)
Debdiff against 1.2.3+dfsg.1-4+deb9u9 tested and attached. I can upload
if you'd like but would appreciate if you could take care of the DLA :-)