Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Roundcube Webmail Vulnerability Exploited in Government Attack

An XSS vulnerability in Roundcube Webmail has been targeted for code execution against a governmental organization in a CIS country.

A threat actor was caught attempting to exploit a recent vulnerability in Roundcube Webmail against a governmental organization in a Commonwealth of Independent States (CIS) country, cybersecurity firm Positive Technologies reports.

Tracked as CVE-2024-37383 and described as a cross-site scripting (XSS) issue affecting the way Roundcube was handling SVG animate attributes, the bug was patched on May 19 in Roundcube Webmail versions 1.5.7 and 1.6.7.

According to Positive Technologies, the targeted entity received an email message that only contained an attachment, without a text body. The message was sent in June.

The email client, the cybersecurity firm says, did not show the attachment, and the email body contained distinctive tags and a statement to decode and execute JavaScript code.

“The distinctive attribute name (attributeName=“href ”), containing an extra space, indicated that the email was an attempt to exploit the CVE-2024-37383 vulnerability in Roundcube Webmail,” Positive Technologies explains.

Prior to displaying the email message, when processing SVG elements with the animate attribute, Roundcube would exclude elements containing the ‘href’ attribute name from the final page.

However, the function responsible for checking the attribute did not exclude elements if their tag attribute name contained the extra space, allowing them to appear on the page.

Furthermore, because the attribute value would be considered as the attribute name, an attacker could insert JavaScript code as the value for ‘href’, which would be executed whenever the Roundcube client opened the malicious email.

Advertisement. Scroll to continue reading.

As part of the observed attack, the executed code was meant to save the attached document and to obtain emails from the server using the ManageSieve plugin.

The code also added fields for the recipient’s username and password to the displayed HTML page, to harvest the credentials and send them to an attacker-controlled server.

The cybersecurity firm could not link the attack to a known threat actor, but Roundcube vulnerabilities were previously exploited by the Russian cyberespionage group Winter Vivern.

“While Roundcube Webmail may not be the most widely used email client, it remains a target for hackers due to its prevalent use by government agencies. Attacks on this software can result in significant damage, allowing cybercriminals to steal sensitive information,” Positive Technologies notes.

Related: North Korean APT Exploited IE Zero-Day in Supply Chain Attack

Related: Flaws in STEM Conference Room Speakerphone Can Be Exploited to Spy on Users

Related: Ukraine Bans Telegram Messenger App on State-Issued Devices Because of Russian Security Threat

Related: Pro-Russian Hackers Claim Downing of French Senate Website

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.