Cybersecurity researchers have revealed details of a security flaw in the Roundcube webmail software that could be exploited to run malicious JavaScript in a victim’s web browser and, under certain circumstances, steal sensitive account information. can
“When a victim views a malicious email sent by an attacker in RoundCube, the attacker can execute arbitrary JavaScript in the victim’s browser,” said cybersecurity company Sonar. said In an analysis published this week.
“Attackers can exploit the vulnerability to steal emails, contacts and the victim’s email password, as well as send email from the victim’s account.”
After responsible disclosure on June 18, 2024, three risks Addressed Roundcube versions 1.6.8 and 1.5.8 were released on August 4, 2024.
Following is the list of weaknesses-
- CVE-2024-42008 – Cross-site scripting vulnerability via malicious email attachments delivered with malicious content-type headers
- CVE-2024-42009 – A cross-site scripting flaw caused by post-processing of sanitized HTML content.
- CVE-2024-42010 – An information disclosure flaw caused by inadequate CSS filtering.
Successful exploitation of the aforementioned flaws could allow unauthenticated attackers to steal emails and contacts, as well as send email from a victim’s account, but only after viewing a specially crafted email in Roundcube.
“Attackers can freeze a victim’s browser every time they restart, allowing them to continuously spit out emails or steal the victim’s password the next time they log in,” said security researcher Oskar Zeno-Mehmlat. “
“For a successful attack, no user interaction is required other than an attacker viewing email to exploit the critical XSS vulnerability (CVE-2024-42009). can make it unclear.”
Additional technical details about the issues have been withheld to allow time for users to update to the latest version, and in light of the fact that the webmail software was flawed. Repeated exploitation such as by nation-state actors APT28, Winter WyvernAnd TAG-70.
The findings come as details about the flaw in the maximum intensity local privilege hike have emerged. Rasp AP open source project (CVE-2024-41637, CVSS Score: 10.0) which allows an attacker to gain root access and execute several critical commands. This vulnerability is fixed in version 3.1.5.
“The www-data user has write access to the restapi.service file and also has sudo privileges to execute several key commands without a password,” said a security researcher who goes by the alias 0xZon1 online. said. “This set of permissions allows an attacker to modify the service to execute arbitrary code with root privileges, elevating their access from www-data to root.”