Serious vulnerability at Roundcube

Security advice for webmail software Roundcube

2021/01/28

Due to a security advisory on the webmail software Roundcube, which was published at the end of 2020, potentially affected systems in DFN's area of responsibility have been identified.

The Roundcube webmail application performs in-line link references in text messages before and after the sanitization process. An input sanitization vulnerability that can be exploited to perform stored cross-site scripting (XSS) attacks has been discovered in how Roundcube webmail handles link references in text messages.

A remote attacker can send a specially crafted email containing malicious text and execute arbitrary JavaScript code in the context of the vulnerable web application when the user displays the message. This allows to impersonate the victims and access the webmail features on their behalf. (Source: https://www.alexbirnberg.com/roundcube-xss.html)

Technical information on the vulnerability can be found here:
https://www.alexbirnberg.com/roundcube-xss.html

Patches and further information on affected versions can be found at the manufacturer:
https://roundcube.net/news/2020/12/27/security-updates-1.4.10-1.3.16-and-1.[..]