Security researchers from Sonarsource have uncovered vulnerabilities in the software of the RoundCube web application. These vulnerabilities can be exploited to inject malicious JavaScript code into a victim’s browser, leading to the theft of confidential information from their account under certain conditions.
According to experts, when a victim views a malicious email in RoundCube sent by an attacker, the attacker can automatically execute arbitrary JavaScript in the victim’s browser. This enables attackers to steal emails, contacts, email passwords, and even send emails on behalf of the victim.
Following the responsible disclosure of this information on June 18, 2024, the vulnerabilities were patched in versions 1.6.8 and 1.5.8 of RoundCube, which were released on August 4, 2024.
The list of vulnerabilities includes:
CVE-2024-42008 – vulnerability involving cross-site scripting through malicious content with a dangerous content view header;
CVE-2024-42009 – vulnerability in cross-site scripting that occurs when sanitized HTML content is rendered;
CVE-2024-42010 – vulnerability involving information disclosure due to insufficient CSS filtering.
The successful exploitation of these vulnerabilities allows unauthorized attackers to steal emails, contacts, and even send emails on behalf of victims after they view a specially crafted email in RoundCube.
Security researcher Oscar Zeyo-Mammalat highlighted that attackers can gain persistent access to a victim’s browser even after restarts, enabling them to continuously retrieve emails or steal the victim’s password upon their next login.
For a successful attack leveraging CVE-2024-42009, no user action is required except for viewing the email from the attacker. On the other hand, exploiting CVE