Experts in cybersecurity have found security flaws in Roundcube webmail software. These flaws might let attackers run malicious JavaScript in the victim’s web browsers and steal sensitive information from their account under specific circumstances.
A company called Sonar, which focuses on cybersecurity, said that when someone looks at a malicious email in Roundcube, an attacker could make any JavaScript run in that victim’s browser. This could lead to stealing emails, contacts, and passwords. It could also let the attacker send emails without permission from the victim’s account.
On June 18, 2024, Sonar told Roundcube about three problems in a responsible way. Roundcube then fixed these issues in versions 1.6.8 and 1.5.8, which came out on August 4, 2024:
- CVE-2024-42008: Cross-site scripting bug through email attachments with risky Content-Type headers
- CVE-2024-42009: A cross-site scripting flaw that arises from post-processing of sanitized HTML content
- CVE-2024-42010: An information disclosure flaw that stems from insufficient CSS filtering
These bugs allow hackers without login details to read emails and contacts, and send emails pretending to be the victim. This happens when the user opens a tricky email in Roundcube.
Researcher Oskar Zeino-Mahmalat pointed out that hackers could keep a steady foothold in the victim’s browser. This allows them to steal data or passwords when the user logs back in. CVE-2024-42009 doesn’t need the user to do anything except look at the harmful email. CVE-2024-42008, however needs one click, which might not seem suspicious.
Experts are holding back all the technical nitty-gritty. This gives users time to update and considers how nation-state actors like APT28, Winter Vivern, and TAG-70 have used Roundcube weak spots before.
Also, a key local privilege escalation bug (CVE-2024-41637) in the RaspAP open-source project came to light. The vulnerability has been addressed in version 3.1.5, letting attackers boost their privileges to root and execute several crucial commands.
Security researcher 0xZon1 explained the vulnerability as follows: “The www-data user can both modify the restapi.service file and run certain critical commands with sudo without needing a password. This dangerous combination enables an attacker to alter the service, allowing them to run any code with root-level access. As a result, they can escalate their privileges from the www-data user to full root access.”