Attackers have exploited an XSS vulnerability (CVE-2024-37383) in the Roundcube Webmail client to target a governmental organization of a CIS country, Positive Technologies (PT) analysts have discovered.
The vulnerability was patched in May 2024, in Roundcube Webmail versions 1.5.7 and 1.6.7. The email carrying the exploit was sent in June 2024.
About CVE-2024-37383
Roundcube is an open-source, browser-based IMAP client with a user interface that makes it look like a standalone application.
CVE-2024-37383 is a cross-site scripting vulnerability that can be triggered via SVG animate attributes. Cross-site scripting allows attackers to inject malicious code into trusted websites, which is executed once the website is loaded.
In this case, the email was crafted to show no text, just an attached document, but simply opening the email was enough to execute malicious JavaScript code on the user’s page.
The email carrying the exploit (Source: Positive Technologies)
The email body actually contains hidden JavaScript code, which downloads Road map.doc to serve as a decoy, while in the background it:
- Tries to grab messages from the mail server using the ManageSieve plugin
- Adds an authorization form to the HTML page displayed to the user, with the hope that the target’s login and password for the Roundcube client will either be autofilled or entered by the target. If that happens, the credentials are exfiltrated to a remote server controlled by the attackers.
This phishing campaign cannot be linked to known actors at this time, the researchers shared.
The importance of timely patching
XSS vulnerabilities in Roundcube Webmail are discovered (and patched) often.
They’ve also been previously exploited by state-sponsored threat actors to target governmental entities in Ukraine and across Europe, sometimes as zero-days (i.e., vulnerabilities only known to attackers, with no existing fix).
“While Roundcube Webmail may not be the most widely used email client, it remains a target for hackers due to its prevalent use by government agencies. Attacks on this software can result in significant damage, allowing cybercriminals to steal sensitive information,” PT researchers noted, and highlighted the importance of timely updating of software.
Roundcube Webmain is actively developed and fixes for privately reported and zero-day vulnerabilities are pushed out regularly.