{"id":166736,"date":"2024-08-07T21:10:17","date_gmt":"2024-08-07T21:10:17","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=166736"},"modified":"2024-08-07T21:10:19","modified_gmt":"2024-08-07T21:10:19","slug":"critical-xss-bug-in-roundcube-webmail","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/166736\/hacking\/critical-xss-bug-in-roundcube-webmail.html","title":{"rendered":"Critical XSS bug in Roundcube Webmail allows attackers to steal emails and sensitive data"},"content":{"rendered":"
<\/div>\n

Researchers warn of flaws in the Roundcube webmail software that could be exploited to steal sensitive information from target accounts.<\/h2>\n\n\n\n

Sonar\u2019s Vulnerability Research Team discovered a critical Cross-Site Scripting (XSS) vulnerability in the popular open-source webmail software Roundcube. Roundcube is included by default in the server hosting panel cPanel which has millions of installations<\/a> worldwide.<\/p>\n\n\n\n

An attacker can trigger the vulnerability to execute arbitrary JavaScript in the victim’s browser when they view a malicious email, potentially leading to the theft of emails, contacts, passwords, and unauthorized email sending. <\/p>\n\n\n\n

Experts pointed out that government employees’ emails are a valuable target for APT groups carrying out cyber espionage campaigns. <\/gwmw>In October 2023, ESET Research revealed<\/a> that a similar vulnerability was exploited by the APT group Winter Vivern<\/a> to target European government entities.<\/gwmw><\/p>\n\n\n\n

The experts discovered two\u00a0XSS\u00a0vulnerabilities tracked as\u00a0CVE-2024-42009<\/a>\u00a0and\u00a0CVE-2024-42008<\/a>, which have critical and high ratings respectively. The flaws impact Roundcube version 1.6.7 and below,\u00a0and version 1.5.7 and below.<\/p>\n\n\n\n

No user interaction is required to successfully exploit the CVE-2024-42009, while for CVE-2024-42008, a single click by the victim is needed.<\/gwmw><\/p>\n\n\n\n

“These allow an unauthenticated attacker to steal emails and contacts, as well as send emails from a victim’s account. All the victim user has to do is view a malicious email in Roundcube.” reads the report<\/a> published by Sonar. “Attackers can gain a persistent foothold in the victim’s browser across restarts, allowing them to exfiltrate emails continuously or steal the victim’s password the next time it is entered.”<\/em><\/p>\n\n\n\n

\n