- Sonar’s Vulnerability Research Team recently discovered a critical Cross-Site Scripting (XSS) vulnerability in Roundcube, a popular open-source webmail software.
- When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim's browser.
- Attackers can abuse the vulnerability to steal emails, contacts, and the victim's email password as well as send emails from the victim's account.
- In October 2023, ESET Research reported that a similar vulnerability was actively used by the APT group Winter Vivern to attack European government entities.
- Roundcube administrators should update to the patched version 1.6.8 or 1.5.8 as soon as possible.
- All discovered issues are tracked as CVE-2024-42008, CVE-2024-42009, CVE-2024-42010.
4815 links