Open source webmail provider fixes a serious bug that can be triggered via malicious emails
Roundcube is urging users to update their installations to resolve a security vulnerability that can be exploited to conduct stored, or persistent, cross-site scripting (XSS) attacks.
On July 21, an advisory was published concerning CVE-2020-15562, a vulnerability present in the Roundcube stable version 1.4 and LTS versions 1.3 and 1.2.
Written in PHP, Roundcube is an open source webmail project which offers a browser-based skinnable IMAP client in multiple languages. Features include MIME support, an address book, folders, and message search functionality.
Roundcube currently uses the jQuery 3.x client.
Input sanitization issue
Discovered by independent security researcher Andrea Cardaci and reported to the SSD Secure Disclosure program, the flaw – deemed “medium-severity” by NVD – represents an input sanitization issue that can be exploited to perform stored XSS attacks.
According to Cardaci, Roundcube uses a customized version of the Washtml HTML sanitizer to display untrusted HTML code in emails.
One of the modifications is the inclusion of an exception for the svg tag to properly handle XML namespaces. However, a vulnerability in the handling protocol results in failed sanitization checks.
If triggered, this can lead to stored XSS attacks.
“This gives an attacker the same power that the legit user has, including but not limited to: reading and deleting messages, sending emails on the behalf of the victim, accessing to the address lists, [and] conducting spam campaigns.
“From the personal correspondence, an attacker could gain other sensitive information that could possibly enable a malicious actor to access external services, [such as] plaintext credentials [and] confirmation emails.”
Cardaci reached out to the SSD Secure Disclosure program with his findings on June 5. By June 25, the program had accepted the report and issued an unspecified financial reward.
Roundcube resolved the vulnerability on July 5.
The vulnerability was fixed in Roundcube 1.4.7, 1.3.14 and 1.2.11.
In an advisory posted July 5, Roundcube said it “strongly recommends” users to update their software to prevent themselves becoming victim to XSS attacks made possible through the security issue.