Cybersecurity researchers have disclosed particulars of safety flaws within the Roundcube webmail software program that may very well be exploited to execute malicious JavaScript in a sufferer’s internet browser and steal delicate data from their account below particular circumstances.
“When a sufferer views a malicious e-mail in Roundcube despatched by an attacker, the attacker can execute arbitrary JavaScript within the sufferer’s browser,” cybersecurity firm Sonar mentioned in an evaluation revealed this week.
“Attackers can abuse the vulnerability to steal emails, contacts, and the sufferer’s e-mail password in addition to ship emails from the sufferer’s account.”
Following accountable disclosure on June 18, 2024, the three vulnerabilities have been addressed in Roundcube variations 1.6.8 and 1.5.8 launched on August 4, 2024.
The record of vulnerabilities is as follows –
- CVE-2024-42008 – A cross-site scripting flaw through a malicious e-mail attachment served with a harmful Content material-Kind header
- CVE-2024-42009 – A cross-site scripting flaw that arises from post-processing of sanitized HTML content material
- CVE-2024-42010 – An data disclosure flaw that stems from inadequate CSS filtering
Profitable exploitation of the aforementioned flaws might enable unauthenticated attackers to steal emails and contacts, in addition to ship emails from a sufferer’s account, however after viewing a specifically crafted e-mail in Roundcube.
“Attackers can acquire a persistent foothold within the sufferer’s browser throughout restarts, permitting them to exfiltrate emails constantly or steal the sufferer’s password the subsequent time it’s entered,” safety researcher Oskar Zeino-Mahmalat mentioned.
“For a profitable assault, no person interplay past viewing the attacker’s e-mail is required to use the vital XSS vulnerability (CVE-2024-42009). For CVE-2024-42008, a single click on by the sufferer is required for the exploit to work, however the attacker could make this interplay unobvious for the person.”
Extra technical particulars concerning the points have been withheld to provide time for customers to replace to the newest model, and in gentle of the truth that flaws within the webmail software program have been repeatedly exploited by nation-state actors like APT28, Winter Vivern, and TAG-70.
The findings come as particulars have emerged a few maximum-severity native privilege escalation flaw within the RaspAP open-source mission (CVE-2024-41637, CVSS rating: 10.0) that enables an attacker to raise to root and execute a number of vital instructions. The vulnerability has been addressed in model 3.1.5.
“The www-data person has write entry to the restapi.service file and in addition possesses sudo privileges to execute a number of vital instructions with out a password,” a safety researcher who goes by the net alias 0xZon1 mentioned. “This mix of permissions permits an attacker to switch the service to execute arbitrary code with root privileges, escalating their entry from www-data to root.”
