Data Theft Alert: Roundcube Vulnerabilities Put Confidential Information at Risk
Security researchers from SonarSource have unveiled vulnerabilities in Roundcube webmail software that could be exploited to execute malicious JavaScript code in a victim’s browser and steal confidential information from their account under certain conditions.
Experts reported that when a user views a malicious email in Roundcube, sent by an attacker, the mail client automatically executes the harmful JavaScript code in the browser. This allows the attacker to steal emails, contacts, and email passwords, as well as send emails on behalf of the victim.
Following responsible disclosure on June 18, 2024, the vulnerabilities were patched in Roundcube versions 1.6.8 and 1.5.8, released on August 4, 2024.
The list of vulnerabilities includes:
- CVE-2024-42008 — a cross-site scripting vulnerability through a malicious attachment with a dangerous Content-Type header;
- CVE-2024-42009 — a cross-site scripting vulnerability arising from the post-processing of sanitized HTML content;
- CVE-2024-42010 — an information disclosure vulnerability due to insufficient CSS filtering.
Successful exploitation of these vulnerabilities allows unauthorized attackers to steal emails and contacts, as well as send emails on behalf of the victim after viewing a specially crafted email in Roundcube.
Security researcher Oscar Zayno-Mahmalat noted that attackers could gain persistent access to the user’s browser even after restarts, enabling them to continuously exfiltrate emails or steal the victim’s password upon its next entry.
For a successful attack exploiting CVE-2024-42009, no action is required from the user other than viewing the attacker’s email. In contrast, CVE-2024-42008 requires one click from the victim, but the attacker can make this interaction imperceptible.
Additional technical details have intentionally been withheld to give users time to update to the latest version. Webmail vulnerabilities have repeatedly been exploited by state-sponsored hackers, such as APT28, Winter Vivern, and TAG-70, so delaying the update is highly inadvisable.
