Roundcube Webmail Vulnerability Exploited in Attacks

Stored XSS vulnerability in Roundcube Webmail is exploited in attacks on ex-USSR government agencies. Researchers identified the attack but cannot determine the perpetrators

Roundcube Webmail Vulnerability

cybersecurity researchers detected active exploitation of Roundcube vulnerability CVE-2024-37383 (CVSS 6.1) in a June 2024 phishing attack targeting CIS government organizations. The attack used a hidden attachment in a malicious email to exploit an XSS vulnerability, aiming to steal credentials and intercept email communications.

Roundcube Webmail is an open-source email client built in PHP, allowing users to access email through a browser without extra apps. This makes it popular with commercial and government organizations, often drawing the interest of attackers.

Vulnerability CVE-2024-37383 is a stored XSS flaw allowing attackers to run JavaScript on victims’ devices, affecting Roundcube Webmail versions 1.5.6 and below and 1.6-1.6.6. It arises from improper handling of the ‘href’ attribute in SVG elements.

Roundcube’s SVG processing had a flaw where elements with an extra space in the ‘href’ attribute bypassed security checks, allowing JavaScript injection. In this attack, a malicious email executed encoded JavaScript via eval(atob(...)), downloading a decoy document (‘road map.docx’) and attempting to exfiltrate messages from the mail server through the ManageSieve plugin.

The page also displayed a fake Roundcube login form to capture user credentials, which were then sent to a remote server at libcdn[.]org, hosted by Cloudflare. Despite similarities to past attacks involving APT groups like APT28, Winter Vivern, and TAG-70, researchers found no direct link to these groups.

Mitigation and Fixes:

• Vulnerability was initially addressed in versions 1.5.7 and 1.6.7 (released May 2024).
• Many organizations did not update promptly, leaving systems exposed.
• XSS vulnerability persisted in versions 1.5.7 and 1.6.7.
• Version 1.6.9, which fully resolves the issue, is now available.
• Users and organizations are strongly advised to upgrade to version 1.6.9.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!