Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS)

vendor:

Roundcube Webmail

by:

AmirZargham

6.1

CVSS

HIGH

Stored Cross Site Scripting (XSS)

CWE

Product Name: Roundcube Webmail

Affected Version From: 1.6

Affected Version To: 38869

Patch Exists: NO

Related CWE: CVE-2024-37383

CPE: a:roundcube:roundcubemail

Metasploit:

Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=43139

Platforms Tested: Firefox, Chrome

2024

Roundcube Webmail 1.6.6 – Stored Cross Site Scripting (XSS)

The Roundcube Webmail email client before version 1.5.6 or between versions 1.6 and 1.6.6 is vulnerable to stored XSS (Cross Site Scripting) identified as CVE-2024-37383. This vulnerability allows malicious attackers to execute JavaScript code on a user's page by sending a specially crafted email.

Mitigation:

To mitigate this vulnerability, users are advised to update Roundcube Webmail to version 1.5.6 or above to prevent exploitation of the stored XSS issue.

Source

Exploit-DB raw data:

# Exploit Title: Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS)
# Google Dork:
# Exploit Author: AmirZargham
# Vendor Homepage: Roundcube - Free and Open Source Webmail Software
# Software Link: Releases · roundcube/roundcubemail
# Version: Roundcube client version earlier than 1.5.6 or from 1.6 to 1.6.6.
# Tested on: firefox,chrome
# CVE: CVE-2024-37383
# CWE: CWE-79
# Platform: MULTIPLE
# Type: WebApps

Description:

The CVE-2024-37383 vulnerability was discovered in the Roundcube Webmail email client. This is a stored XSS vulnerability that allows an attacker to execute JavaScript code on the user's page. To exploit the vulnerability, all attackers need to do is open a malicious email using a Roundcube client version earlier than 1.5.6 or from 1.6 to 1.6.6.

Usage Info:1 - open the Roundcube_mail_server_exploit_for_CVE-2024-37383.txt and export js file.2 - Change the web address of the original email (target) and the URL of the receiving server (attacker server).3 - You can put the code in file SVG <animate> tag and send it to the server. (can use this https://github.com/bartfroklage/CVE-2024-37383-POC)4 - After the victim clicks, all emails in the mailbox will be sent to your collaborator server.

This code automates the process of retrieving all messages inbox from a Roundcube webmail server and forwarding that data to a specific collaborator server endpoint.Here’s a step-by-step breakdown:
-
Setup URLs:

- The main webmail URL (target) and the receiving server URL (attackerserver) are defined as variables at the beginning for easy configuration.

-
Get Total Page Count:

- The getPageCount function sends a GET request to the main webmail URL to fetch metadata, including the total number of pages (pagecount).
- If pagecount is found, it proceeds to loop through each page.

-
Fetch Message IDs from All Pages:

- For each page from 1 to pagecount, it constructs a paginated URL to request that page.
- Each page’s response is checked for instances of add_message_row(NUMBER) using regex, extracting message IDs from each instance and collecting all IDs in a single list.

-
Retrieve Each Message's Content:

- For each message ID, the code constructs a URL to request detailed data about that message.
- It sends a GET request for each message ID URL, receiving the full response HTML.

-
Extract and Clean Message Data:

- Within each message response, it uses regex to capture the <title> (message title) and main message content.
- Any HTML tags are stripped from the message content to keep only the plain text.

-
Send the Data to the Server:

- For each extracted message, a POST request is made to the server endpoint with the title and cleaned message content, URL-encoded for proper transmission.