Roundcube Webmail has released critical security updates addressing two significant vulnerabilities affecting versions 1.6 and 1.5 LTS.
The flaws could enable attackers to execute malicious scripts and gain unauthorized access to sensitive information through multiple attack vectors.
The first vulnerability is a Cross-Site Scripting (XSS) flaw in Roundcube’s SVG handling mechanism. Attackers can exploit the SVG animate tag to inject and execute arbitrary JavaScript code within the webmail interface.
This vulnerability, reported by security researcher Valentin T. from CrowdStrike, presents a significant risk to webmail users.
Successful exploitation could allow attackers to steal session tokens, credentials, and sensitive email data.
| CVE ID | Vulnerability Type | Affected Versions | Severity | Description |
|---|---|---|---|---|
| CVE-2024-XXXXX | Cross-Site-Scripting (XSS) | 1.6.x, 1.5.x LTS | High | Information Disclosure in HTML-style sanitizer bypassing filters |
| CVE-2024-XXXXX | Information Disclosure | 1.6.x, 1.5.x LTS | Medium-High | Information Disclosure in HTML style sanitizer bypassing filters |
The second vulnerability involves an Information Disclosure flaw in Roundcube’s HTML style sanitizer. Reported by security researcher somerandomdev, this vulnerability could permit attackers to bypass sanitization filters.
And access confidential information through specially crafted HTML content. The vulnerability in the sanitization logic creates a pathway for information leakage that could compromise user privacy.
Roundcube has released patched versions addressing both vulnerabilities, strongly recommends immediate updates for all productive installations running versions 1.6. x and 1.5. x.
System administrators should prioritize deploying versions 1.6.12 and 1.5.12 to eliminate exploitation risks. The updated versions are available on GitHub’s official Roundcube repository.
Users should verify their current Roundcube version and apply updates without delay, as these vulnerabilities could be actively exploited in the wild.
Organizations relying on Roundcube for email services should treat this update as critical infrastructure maintenance.
The security fixes are comprehensive and address both the client-side script-injection vector and the server-side information-disclosure risk.
Complete changelog details are available in the official release notes for both updated versions.
AI-Powered ISO 27001, SOC 2, NIST, NIS 2, and GDPR Compliance Checklist => Start for Free
