Roundcube Webmail Security Update Advisory

Sep 04 2024

Overview

An update has been released to address vulnerabilities in Roundcube Webmail. Users of the affected versions are advised to update to the latest version.

Affected Products

CVE-2024-42008, CVE-2024-42009, CVE-2024-42010

Roundcube Webmail version: 1.5.7
Roundcube Webmail versions: 1.6.x (inclusive) ~ 1.6.7 (inclusive)

Resolved Vulnerabilities

Cross-site scripting vulnerability in rcmail_action_mail_get->run() allows remote attackers to steal and send a victim’s email via a malicious email attachment with a dangerous Content-Type header (CVE-2024-42008)

Desanitization issue in message_body() in program/actions/mail/show.php that could allow remote attackers to steal a victim’s email via crafted email messages (CVE-2024-42009)

Some versions of mod_css_styles in Roundcube did not sufficiently filter Cascading Style Sheets (CSS) token sequences in rendered email messages, which could allow remote attackers to obtain sensitive information (CVE-2024-42010)

Vulnerability Patches

The following product-specific Vulnerability Patches have been made available in the latest update. If you are using an affected version, Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2024-42008, CVE-2024-42009, CVE-2024-42010

Roundcube Webmail version: 1.5.8
Roundcube Webmail version: 1.6.8

References

[1] roundcube Webmail/releases/1.5.8

https://github.com/roundcube/roundcubemail/releases/tag/1.5.8

[2] roundcube Webmail/releases/1.6.8

https://github.com/roundcube/roundcubemail/releases/tag/1.6.8

Roundcube Webmail Security Update Advisory

Google Chrome Browser (128.0.6613.119/.120) Security Update Advisory

Netwrix Product Security Update Advisory

Tags:

Google Chrome Browser (128.0.6613.119/.120) Security Update Advisory

Netwrix Product Security Update Advisory