Open source webmail provider fixes a serious bug that can be triggered via malicious emails

Roundcube urges users to update to fix stored XSS email security vulnerability

Roundcube is urging users to update their installations to resolve a security vulnerability that can be exploited to conduct stored, or persistent, cross-site scripting (XSS) attacks.

On July 21, an advisory was published concerning CVE-2020-15562, a vulnerability present in the Roundcube stable version 1.4 and LTS versions 1.3 and 1.2.

Written in PHP, Roundcube is an open source webmail project which offers a browser-based skinnable IMAP client in multiple languages. Features include MIME support, an address book, folders, and message search functionality.

Roundcube currently uses the jQuery 3.x client.

Input sanitization issue

Discovered by independent security researcher Andrea Cardaci and reported to the SSD Secure Disclosure program, the flaw – deemed “medium-severity” by NVD – represents an input sanitization issue that can be exploited to perform stored XSS attacks.

According to Cardaci, Roundcube uses a customized version of the Washtml HTML sanitizer to display untrusted HTML code in emails.

One of the modifications is the inclusion of an exception for the svg tag to properly handle XML namespaces. However, a vulnerability in the handling protocol results in failed sanitization checks.

This can be exploited via a JavaScript payload abusing the namespace attribute, such as through a malicious email message containing an HTML onload event.

If triggered, this can lead to stored XSS attacks.

READ MORE Unpatched Tenda WiFi router vulnerabilities leave home networks wide open to abuse

Discussing the potential ramifications of the exploit, Cardaci told The Daily Swig: “A successful attack allows the execution of arbitrary JavaScript code in the context of the authenticated victim's session, thus basically impersonating the logged-in user.

“This gives an attacker the same power that the legit user has, including but not limited to: reading and deleting messages, sending emails on the behalf of the victim, accessing to the address lists, [and] conducting spam campaigns.

“From the personal correspondence, an attacker could gain other sensitive information that could possibly enable a malicious actor to access external services, [such as] plaintext credentials [and] confirmation emails.”

Coordinated disclosure

Cardaci reached out to the SSD Secure Disclosure program with his findings on June 5. By June 25, the program had accepted the report and issued an unspecified financial reward.

Roundcube resolved the vulnerability on July 5.

The vulnerability was fixed in Roundcube 1.4.7, 1.3.14 and 1.2.11.

In an advisory posted July 5, Roundcube said it “strongly recommends” users to update their software to prevent themselves becoming victim to XSS attacks made possible through the security issue.

RECOMMENDED GitHub security team finds remote code execution bug in popular Node.js changelog library