Researchers studying security issues have found flaws in the Roundcube webmail software that may potentially be exploited to insert malicious JavaScript into a victim’s web browser.
Security researchers have revealed vulnerabilities in the Roundcube webmail program that, in some situations, might be used to launch malicious JavaScript in a victim’s web browser and take sensitive data from their account.
Cybersecurity firm Sonar stated in a report released this week that “when a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim’s browser.”
“Attackers can abuse the vulnerability to steal emails, contacts, and the victim’s email password, as well as send emails from the victim’s account.”
Roundcube versions 1.6.8 and 1.5.8, which were made available on August 4, 2024, have fixed the three vulnerabilities after their responsible disclosure on June 18, 2024.
The following is a list of vulnerabilities:
CVE-2024-42008: A malicious email attachment containing a risky cross-site scripting vulnerability Content-Type header
A cross-site scripting vulnerability that results from post-processing cleaned HTML text is identified as CVE-2024-42009. A vulnerability in information leakage caused by inadequate CSS filtering is identified as CVE-2024-42010.
If the aforementioned vulnerabilities are effectively exploited, unauthenticated attackers may be able to send and receive emails from a victim’s account, as well as steal emails and contacts, all after viewing a specially constructed email in Roundcube.
“Attackers can gain a persistent foothold in the victim’s browser across restarts, allowing them to exfiltrate emails continuously or steal the victim’s password the next time it is entered.” Oskar Zeino-Mahmalat, a
“To successfully exploit the major XSS vulnerability (CVE-2024-42009), the attacker only needs the victim to view the email. For CVE-2024-42008, the exploit only requires the victim to click once; however, the attacker can conceal this interaction from the user.”
Further technical information regarding the problems has been kept under wraps in order to allow users to update to the most recent version and because nation-state actors such as APT28, Winter Vivern, and TAG-70 have frequently taken advantage of vulnerabilities in the webmail software.
The results coincide with information that has surfaced regarding an open-source RaspAP project maximum-severity local privilege escalation vulnerability (CVE-2024-41637, CVSS score: 10.0) that enables an attacker to elevate to root and carry out many crucial commands. Version 3.1.5 has been updated to address the issue.
According to a vulnerability researcher going by the online alias 0xZon1, “the www-data user has write access to the restapi.service file and also possesses sudo privileges to execute several critical commands without a password.”
“This combination of permissions allows an attacker to modify the service to execute arbitrary code with root privileges, escalating their access from www-data to root.”
Also read: Achieving Rapid Outcomes with AI-Driven Cloud Analytics
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.