Hackers are abusing a vulnerability in the Roundcube Webmail to steal emails and other sensitive data, new reports have claimed.
Cybersecurity experts from Positive Technologies sounded the alarm, saying the popular email client carries a flaw that is being actively exploited against government organizations in the Commonwealth of Independent States (CIS) region (former Soviet Union).
Roundcube Webmail is a popular browser-based email client with a user-friendly interface that mimics the look and feel of a desktop application. It supports standard email protocols like IMAP and SMTP, and offers features such as message search, contact management, and plugin customization.
Hiding with HTML
The bug is tracked as CVE-2024-37383, and described as a medium-severity stored cross-site scripting (XSS) flaw, allowing the execution of malicious JavaScript on the Roundcube page.
To trigger the vulnerability, the crooks would draft and send a unique email. The email’s body appears empty, and only comes with a .DOC attachment. But the attackers would hide harmful code in the email using specific HTML tags (in this case, the tag), which is processed by the email client, while being invisible to the target user.
The payload is a piece of JavaScript code masquerading as a ‘href’ value. It downloads a decoy .DOC file, while injecting an unauthorized login form into the HTML page, which requests messages from the mail server. The form prompts the victim for their username and password, which are then relayed to the attackers.
All versions up to 1.5.6, as well as versions between 1.6 and 1.6.6. were said to be vulnerable to the flaw. Versions 1.5.7 and 1.6.7, released on May 19, are the earliest ones to have addressed the bug, and users are advised to upgrade their clients as soon as possible.
Via BleepingComputer
More from TechRadar Pro
