Another XSS flaw reported in Roundcube Webmail

Sonar's Vulnerability Research Team has identified a set Cross-Site Scripting (XSS) vulnerabilities in Roundcube Webmail.

Roundcube is a widely-used open-source webmail software, commonly used in government agency email servers across Europe. The flaw allows attackers to execute arbitrary JavaScript in the victim's browser when they view a malicious email.

Roundcube is integral to many servers due to its inclusion in cPanel, leading to millions of installations globally. It is also used by universities and government agencies. Given the critical nature of emails for government employees, they are prime targets for Advanced Persistent Threat (APT) groups, such as Winter Vivern.

The flaws are tracked as:

1. CVE-2024-42009 (CVSS score 6.1) - A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
2. CVE-2024-42008 (CVSS score 6.1) - A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
3. CVE-2024-42010 (CVSS score 7.5) - mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information.

The attack requires minimal user interaction—merely viewing a malicious email for CVE-2024-42009, or a single click for CVE-2024-42008. These vulnerabilities enable attackers to steal emails and contacts, capture the victim's email password, send emails from the victim's account and maintain a persistent presence in the victim’s browser, even after restarts

Hacker groups have already exploited a similar flaw in Roundcube in October 2023 to target European government entities, including the Ukrainian military and Georgian Defense Ministry.

Administrators are urged to update Roundcube to the patched versions 1.6.8 or 1.5.8 as soon as possible.