Cyber security news for all

More

    Roundcube Webmail Vulnerabilities Enable Hackers to Steal Emails and Passwords

    Cybersecurity experts have revealed critical security vulnerabilities in Roundcube webmail software that could be exploited to run malicious JavaScript in a user’s web browser, potentially compromising sensitive account information under certain conditions.

    According to a report by cybersecurity firm Sonar, “When a user opens a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript within the user’s browser.”

    “This vulnerability can be exploited to steal emails, contacts, and the user’s email password, as well as to send emails from the user’s account,” the analysis added.

    Following responsible disclosure on June 18, 2024, the vulnerabilities have been patched in Roundcube versions 1.6.8 and 1.5.8, released on August 4, 2024.

    The identified vulnerabilities are as follows:

    • CVE-2024-42008 – A cross-site scripting (XSS) flaw due to a malicious email attachment with a dangerous Content-Type header.
    • CVE-2024-42009 – An XSS flaw caused by the post-processing of sanitized HTML content.
    • CVE-2024-42010 – An information disclosure flaw resulting from inadequate CSS filtering.

    If exploited, these flaws could allow unauthenticated attackers to steal emails and contacts, as well as send emails from the victim’s account, merely by viewing a specially crafted email in Roundcube.

    “Attackers can maintain a persistent presence in the victim’s browser even after restarts, enabling continuous exfiltration of emails or theft of the victim’s password upon its next entry,” explained security researcher Oskar Zeino-Mahmalat.

    “For the critical XSS vulnerability (CVE-2024-42009), no user interaction beyond opening the attacker’s email is needed. For CVE-2024-42008, the victim must click on something, though the attacker can make this step less apparent,” he noted.

    Detailed technical information has been withheld to allow users time to update to the latest version. This is particularly relevant given that vulnerabilities in webmail software have been exploited by state-sponsored actors such as APT28, Winter Vivern, and TAG-70.

    In related news, a severe local privilege escalation vulnerability has been discovered in the RaspAP open-source project (CVE-2024-41637, CVSS score: 10.0), which allows an attacker to gain root access and execute critical commands. This issue has been resolved in version 3.1.5.

    “A combination of permissions allows an attacker, with write access to the restapi.service file and sudo privileges, to modify the service and execute arbitrary code with root access, elevating their privileges from www-data to root,” said security researcher 0xZon1.

    Recent Articles

    Related Stories