The issue:

A critical Cross-Site Scripting (XSS) vulnerability was discovered in Roundcube, an open-source webmail software widely used by government agencies and universities.

• This vulnerability allows attackers to execute arbitrary JavaScript in the victim's browser simply by having them view a malicious email.
• Attackers can 'easily' exploit these vulnerabilities, since no user interaction beyond opening the attacker's email is needed or just one click is required, making them particularly dangerous.
  WHY? vulnerabilities leading to the theft of emails, contacts, and passwords, as well as unauthorized email sending from the victim's account !

Who and When:

• ESET Research highlighted that similar vulnerabilities were previously exploited by the Winter Vivern APT group to target European government entities.
• Sonar’s Vulnerability Research Team recently discovered a critical Cross-Site Scripting (XSS) vulnerability in Roundcube.
• Patches from Roundcube released on August 4, 2024

Our note:

This is a good example of collaboration and reactiveness between researchers (Oskar Zeino-Mahmalat) and vendor (Aleksander Machniak) ! :)

Solution:

If you aree running Roundcube in version 1.6.7 and below, and in version 1.5.7 and below,
you need to follow Roundcube fix here https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8

Credits: Sonar - vulnerability-in-roundcube-webmail
- CVE: CVE-2024-42008
- CVE: CVE-2024-42009