#VU59318 Stored cross-site scripting in Roundcube - CVE-2021-46144

Cybersecurity Help s.r.o.

Published: 2022-01-09

Vulnerability identifier: #VU59318

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-46144

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Roundcube
Web applications / Webmail solutions

Vendor: Roundcube

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences. A remote attacker can trick the victim to open a specially crafted email and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Roundcube: 1.3.0 - 1.3.17, 1.4.0 - 1.4.12, 1.5.0 - 1.5.1

External links
https://roundcube.net/news/2021/12/30/update-1.5.2-released
https://bugs.debian.org/1003027
https://github.com/roundcube/roundcubemail/commit/8894fddd59b770399eed4ef8d4da5773913b5bf0
https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8
https://roundcube.net/news/2021/12/30/security-update-1.4.13-released

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Debian update for roundcube

Cross-site scripting in Roundcube