Hackers exploit XSS flaw in Roundcube to steal credentials and emails

Researchers at Positive Technologies report that attackers are actively exploiting a medium-severity stored cross-site scripting (XSS) vulnerability in Roundcube Webmail, to target government organizations within the Commonwealth of Independent States (CIS) region.

Roundcube, an open-source, PHP-based IMAP client, is often targeted by hackers, including state-sponsored groups, due to its widespread use in commercial and government settings.

The flaw, tracked as CVE-2024-37383 (CVSS score 6.1) was first reported in June 2024 but detected in active exploitation in September 2024, allows attackers to inject and execute malicious JavaScript code via improperly processed SVG elements. The vulnerability is triggered by improperly processed SVG <animate> attributes in emails, allowing for the execution of hidden JavaScript code within the Roundcube interface.

Attackers used emails that appeared empty, containing only a .DOC attachment. When opened, the email executed hidden JavaScript that:

1. Downloaded a decoy document ("Road map.doc").
2. Injected an unauthorized login form into the HTML page, attempting to capture the user’s credentials.
3. Attempted to retrieve messages from the mail server using the ManageSieve plugin.
4. Exfiltrated credentials to a remote server at "libcdn[.]org".

Affected Versions:

• Roundcube versions before 1.5.6
• Roundcube versions from 1.6 to 1.6.6

Fixed Versions:

• Patched in Roundcube 1.5.7 and 1.6.7 (released May 19, 2024)
• Latest version 1.6.9 (released September 1, 2024)

Successful exploitation of CVE-2024-37383 could lead to credential theft, email exfiltration, and potential full account compromise.

Users are advised to update Roundcube Webmail to the latest version (1.6.9).

• Implement security measures such as email filtering and enhanced network monitoring.
• Educate users on phishing risks, particularly those targeting Roundcube.