Roundcube Webmail: Attackers can hijack emails through critical gap
Admins should update Roundcube to the latest version for security reasons. Many universities rely on this webmail product.
(Image: Alfa Photo/Shutterstock.com)
Attackers can exploit several vulnerabilities in Roundcube Webmail and, in the worst case, view emails from victims or even send them in their name. One vulnerability is classified as"critical". Secured versions are available for download.
Security problems
A warning message from the provider indicates that the developers have closed a total of three vulnerabilities (CVE-2024-42008"high", CVE-2024-42009"critical", CVE-2024-42010"medium"). Because input in message_body() of an email message is not sufficiently sanitized, remote attackers can initiate attacks on the critical vulnerability via crafted emails.
To do this, a victim must open a manipulated message and the victim's browser then executes JavaScript code from attackers. If such an XSS attack works, attackers should be able to capture passwords, for example, to send email messages in the name of victims, according to security researchers from Sonar.
Videos by heise
If attackers successfully exploit the other two vulnerabilities, this can lead to an information leak, for example.
Patch now!
Roundcube Webmail is used by governments and universities, among others. In the government context, there were already attacks on other gaps in Roundcube servers at the end of October.
Accordingly, admins should act quickly and install the secured versions 1.5.8 or 1.6.8. All previous versions are said to be vulnerable. However, there are currently no reports of ongoing attacks and security researchers are deliberately withholding details so that admins have time to install the security updates.
(des)
