Roundcube Webmail Vulnerabilities Permit Cybercriminals to Pilfer Emails and Passcodes

Aug 07, 2024Ravie LakshmananEmail Security / Vulnerability

Uncovered by cybersecurity experts are details of weaknesses in the Roundcube webmail application that may be leveraged to execute harmful JavaScript in a target’s web browser and filch confidential data from their account in certain circumstances.

“Upon opening a malicious email in Roundcube that has been dispatched by a cyber attacker, the attacker can trigger random JavaScript actions in the target’s browser,” cybersecurity institution Sonar stated in an investigation made public this week.

“The flaw can be exploited by attackers to steal emails, contacts, the victim’s email passcode, and also dispatch emails from the victim’s account.”

Subsequent to a responsible disclosure on June 18, 2024, the three vulnerabilities have been resolved in the versions 1.6.8 and 1.5.8 of Roundcube that were issued on August 4, 2024.

The enumeration of vulnerabilities is as below –

• CVE-2024-42008 – A cross-site scripting flaw through a perilous Content-Type header in a malevolent email attachment
• CVE-2024-42009 – A cross-site scripting flaw that emerges from post-sanitization processing of HTML content
• CVE-2024-42010 – A data revelation flaw that originates from inadequate CSS filtration

The successful exploitation of the aforementioned vulnerabilities could empower unauthenticated attackers to filch emails and contacts, and also send emails from the victim’s account, post viewing a specially crafted email in Roundcube.

“By exploiting the critical XSS vulnerability (CVE-2024-42009), attackers can establish a persistent stronghold in the victim’s browser even after restarts, allowing them to continuously siphon off emails or acquire the victim’s passcode during their next input,” stated security researcher Oskar Zeino-Mahmalat.

“For the CVE-2024-42008, the attack can succeed with just one click from the victim, although the attacker can make this interaction inconspicuous to the user.”

Further technical information regarding the problems has been withheld to grant users the opportunity to transition to the most recent version, especially considering that missteps in the email software have been consistently misused by state-sponsored hackers like APT28, Winter Vivern, and TAG-70.

As more details arise about a critical local privilege escalation flaw in the RaspAP open-source project (CVE-2024-41637, CVSS score: 10.0) that enables an attacker to rise to root access and carry out numerous critical commands, the issue has been resolved in version 3.1.5.

“The user www-data is granted write permissions to the restapi.service file and also has sudo rights to execute various critical commands without requiring a password,” expressed a security researcher with the online moniker 0xZon1 on a blog post. “This combination of permissions enables an attacker to adjust the service to run arbitrary code with elevated privileges, escalating their control from www-data to root.”