Friend
Professional
- Messages
- 2,653
- Reaction score
- 851
- Points
- 113
How did developers allow three vulnerabilities to exist in their product at the same time?
Security researchers at SonarSource uncovered vulnerabilities in the Roundcube webmail software that can be used to execute malicious JavaScript code in a victim's browser and steal confidential information from their account under certain conditions.
Experts reported that when a user views a malicious email in Roundcube sent by an attacker, the mail client automatically executes malicious JavaScript code in the browser. This allows attackers to steal emails, contacts, and email passwords, as well as send emails on behalf of the victim.
Following responsible disclosure on June 18, 2024, the vulnerabilities were fixed in Roundcube versions 1.6.8 and 1.5.8, released on August 4, 2024.
The list of vulnerabilities includes:
Successful exploitation of these vulnerabilities allows unauthorized attackers to steal emails and contacts, as well as send emails on behalf of the victim after viewing a specially prepared email in Roundcube.
Security researcher Oscar Zeino-Makhmalat noted that attackers can gain stable access to the user's browser even after restarts, which allows them to continuously output emails or steal the victim's password the next time it is entered.
A successful attack through exploiting the CVE-2024-42009 vulnerability does not require any actions on the part of the user, other than viewing the email from the attacker. In turn, the CVE-2024-42008 vulnerability requires a single click from the victim, but an attacker can make this interaction invisible.
Additional technical details have not yet been intentionally disclosed to give users time to update to the latest version. Webmail vulnerabilities have been repeatedly exploited by government hackers such as APT28, Winter Vivern, and TAG-70, so you really shouldn't delay updating.
Source
Security researchers at SonarSource uncovered vulnerabilities in the Roundcube webmail software that can be used to execute malicious JavaScript code in a victim's browser and steal confidential information from their account under certain conditions.
Experts reported that when a user views a malicious email in Roundcube sent by an attacker, the mail client automatically executes malicious JavaScript code in the browser. This allows attackers to steal emails, contacts, and email passwords, as well as send emails on behalf of the victim.
Following responsible disclosure on June 18, 2024, the vulnerabilities were fixed in Roundcube versions 1.6.8 and 1.5.8, released on August 4, 2024.
The list of vulnerabilities includes:
- CVE-2024-42008 — cross-site scripting vulnerability via malicious attachment with a dangerous Content-Type header;
- CVE-2024-42009 — cross-site scripting vulnerability that occurs during post-processing of cleaned HTML content;
- CVE-2024-42010 — information disclosure vulnerability due to insufficient CSS filtering.
Successful exploitation of these vulnerabilities allows unauthorized attackers to steal emails and contacts, as well as send emails on behalf of the victim after viewing a specially prepared email in Roundcube.
Security researcher Oscar Zeino-Makhmalat noted that attackers can gain stable access to the user's browser even after restarts, which allows them to continuously output emails or steal the victim's password the next time it is entered.
A successful attack through exploiting the CVE-2024-42009 vulnerability does not require any actions on the part of the user, other than viewing the email from the attacker. In turn, the CVE-2024-42008 vulnerability requires a single click from the victim, but an attacker can make this interaction invisible.
Additional technical details have not yet been intentionally disclosed to give users time to update to the latest version. Webmail vulnerabilities have been repeatedly exploited by government hackers such as APT28, Winter Vivern, and TAG-70, so you really shouldn't delay updating.
Source
