You are currently viewing Two Critical XSS Vulnerabilities in Roundcube Allows Easy Email Account Compromise

Two Critical XSS Vulnerabilities in Roundcube Allows Easy Email Account Compromise

Two Cross-Site Scripting Vulnerabilities Threaten Millions of Users

Popular open-source webmail software Roundcube has been found to contain two critical cross-site scripting (XSS) vulnerabilities, CVE-2024-42009 and CVE-2024-42008. These flaws can be exploited by attackers to steal sensitive user data, including emails, contacts, and passwords, as well as send malicious messages on behalf of compromised accounts.

How the Attacks Work

Both vulnerabilities allow attackers to execute malicious JavaScript code in a user’s browser when they view a specially crafted email. While CVE-2024-42009 requires no user interaction beyond opening the email, CVE-2024-42008 necessitates a single click but can be engineered to be virtually undetectable.

Once exploited, attackers can gain persistent access to a victim’s browser, enabling them to steal information continuously or capture passwords as they are entered. Additionally, a third vulnerability, CVE-2024-42010, allows attackers to extract sensitive information through improperly filtered CSS styles within emails.

A History of Roundcube Exploitation

These latest vulnerabilities highlight a recurring pattern of Roundcube being targeted by cybercriminals. Previous attacks have leveraged similar flaws to compromise high-profile targets, including government agencies and think tanks. Notable incidents include:

  • June 2023: A spear-phishing campaign targeting Ukrainian state organizations exploited XSS and SQL injection vulnerabilities to steal data from Roundcube databases.
  • October 2023: The Winter Vivern APT group used a zero-day XSS vulnerability to target European government entities and a think tank.
  • February 2024: CISA mandated that US federal agencies patch a Roundcube XSS flaw actively exploited in the wild.

Mitigating the Risk

To protect against these threats, Roundcube administrators are urged to update their installations to versions 1.6.8 or 1.5.8 as soon as possible. Users who suspect their accounts may have been compromised should change their email passwords and clear their browser’s site data for Roundcube.

While the technical details of these vulnerabilities have been withheld to give users time to patch their systems, the rapid exploitation of similar flaws in the past underscores the urgency of addressing this issue.

Additional Information

  • Roundcube is widely used by European government agencies, hosting providers, and academic institutions worldwide.
  • The vulnerabilities affect Roundcube versions 1.6.7 and earlier, as well as 1.5.7 and earlier.
  • A third vulnerability, CVE-2024-42010, allows information disclosure through CSS manipulation.

By understanding the severity of these vulnerabilities and taking immediate action, organizations can significantly reduce the risk of email account compromise and data theft.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. Summitsystemsissp assumes no liability for the accuracy or consequences of using this information.