Cybersecurity researchers have disclosed particulars of security flaws within the Roundcube webmail software program that could possibly be exploited to execute malicious JavaScript in a sufferer’s net browser and steal delicate info from their account below particular circumstances.
“When a sufferer views a malicious e-mail in Roundcube despatched by an attacker, the attacker can execute arbitrary JavaScript within the sufferer’s browser,” cybersecurity firm Sonar mentioned in an evaluation printed this week.
“Attackers can abuse the vulnerability to steal emails, contacts, and the sufferer’s e-mail password in addition to ship emails from the sufferer’s account.”
Following accountable disclosure on June 18, 2024, the three vulnerabilities have been addressed in Roundcube variations 1.6.8 and 1.5.8 launched on August 4, 2024.
The record of vulnerabilities is as follows –
- CVE-2024-42008 – A cross-site scripting flaw by way of a malicious e-mail attachment served with a harmful Content material-Kind header
- CVE-2024-42009 – A cross-site scripting flaw that arises from post-processing of sanitized HTML content material
- CVE-2024-42010 – An info disclosure flaw that stems from inadequate CSS filtering
Profitable exploitation of the aforementioned flaws may enable unauthenticated attackers to steal emails and contacts, in addition to ship emails from a sufferer’s account, however after viewing a specifically crafted e-mail in Roundcube.
“Attackers can acquire a persistent foothold within the sufferer’s browser throughout restarts, permitting them to exfiltrate emails constantly or steal the sufferer’s password the subsequent time it’s entered,” security researcher Oskar Zeino-Mahmalat mentioned.
“For a profitable assault, no consumer interplay past viewing the attacker’s e-mail is required to take advantage of the important XSS vulnerability (CVE-2024-42009). For CVE-2024-42008, a single click on by the sufferer is required for the exploit to work, however the attacker could make this interplay unobvious for the consumer.”
Further technical particulars in regards to the points have been withheld to offer time for customers to replace to the newest model, and in gentle of the truth that flaws within the webmail software program have been repeatedly exploited by nation-state actors like APT28, Winter Vivern, and TAG-70.
The findings come as particulars have emerged a few maximum-severity native privilege escalation flaw within the RaspAP open-source mission (CVE-2024-41637, CVSS rating: 10.0) that permits an attacker to raise to root and execute a number of important instructions. The vulnerability has been addressed in model 3.1.5.
“The www-data consumer has write entry to the restapi.service file and likewise possesses sudo privileges to execute a number of important instructions and not using a password,” a security researcher who goes by the net alias 0xZon1 mentioned. “This mixture of permissions permits an attacker to change the service to execute arbitrary code with root privileges, escalating their entry from www-data to root.”
