Researchers have raised alarms about vulnerabilities in the Roundcube webmail software that could lead to the theft of sensitive information from user accounts. The Sonar Vulnerability Research Team identified a critical Cross-Site Scripting (XSS) flaw in Roundcube, which is widely used and included by default in cPanel, a popular server hosting panel. An attacker can exploit this vulnerability by sending a malicious email that executes arbitrary JavaScript in the victim’s browser, risking unauthorized access to emails, contacts, passwords, and even the ability to send emails from compromised accounts.
The experts discovered two XSS vulnerabilities tracked as CVE-2024-42009 and CVE-2024-42008, which are rated as critical and high severity, respectively. The critical vulnerability, CVE-2024-42009, does not require any user interaction for exploitation, while the high-severity CVE-2024-42008 only requires a single click from the victim. These vulnerabilities pose a significant threat, particularly to government employees, who are often targeted by advanced persistent threat (APT) groups for cyber espionage, as noted in a recent ESET Research report.
To address these vulnerabilities, researchers strongly recommend that Roundcube administrators update their software to the latest patches, versions 1.6.8 or 1.5.8, as a precautionary measure. In addition to updating, affected users are advised to change their email passwords and clear their browser’s site data associated with Roundcube to minimize the risk of compromise. Meanwhile, the experts have identified another information disclosure vulnerability, CVE-2024-42010, linked to insufficient filtering of Cascading Style Sheets (CSS) token sequences in rendered emails, which could further expose sensitive information.
Despite the potential for exploitation, the technical details of the vulnerabilities have not been disclosed to allow administrators time to implement the necessary updates. However, researchers warn that APT groups may still find ways to weaponize these vulnerabilities, underscoring the urgency for users and administrators to act swiftly to secure their systems against these emerging threats.
Reference:
