Roundcube < 1.6.4: XSS vulnerability in Roundcube webmail

[CrazyFrog]

From oss-security comes the following; Roundcube should be upgraded to 1.6.4. If that update is already available, thanks!

-----

Versions up to 1.6.3 - not 1.6.4 - are vulnerable.

https://www.cve.org/CVERecord?id=CVE-2023-5631

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

G

On 31/10/2023 23:26, Valtteri Vuorikoski wrote:

Not associated with the project or ESET, but didn't see anything here about
this yet.

Roundcube is an open-source webmail client. Versions up to 1.6.4 are
vulnerable (including the 1.4.x and 1.5.x series) to an XSS exploit
caused by an issue in the sanitization of SVG image elements in HTML
emails. ESET describes CVE-2023-5631 as follows in their press release
at <https://www.eset.com/us/about/newsr...vers-of-governments-in-europe-through-zero-1/>:

By sending a specially crafted email message, attackers are able to
load arbitrary JavaScript code in the context of the Roundcube user’s
browser window. No manual interaction other than viewing the message
in a web browser is required. The final JavaScript payload can
exfiltrate email messages to the command and control server of the
group.

The Roundcube project has released new versions for each of the abovementioned
release series. The official release notification is at
<https://roundcube.net/news/2023/10/16/security-update-1.6.4-released>.

According to ESET, the vulnerability is being actively exploited to
target "governmental entities in Europe".

-Valtteri

 

[Richard G]

If that update is already available, thanks!

Yes 1.6.4 is already on the servers.

 

[Erulezz]

RoundCube 1.6.4 (security)

Security update 1.6.4 released Published: 16 October 2023 Tags: releases updates security We just published a security update to the version 1.6 of Roundcube Webmail. It provides a fix to a recently reported XSS vulnerability: Fix cross-site scripting (XSS) vulnerability in handling of SVG...

forum.directadmin.com

 

[CrazyFrog]

Awesome, I searched for "roundcube" but didn't see any relevant results. Thanks everyone!

 

[freakie]

Anyone getting this error:

RoundCube 1.6.10 to 1.6.11 update is available.

Latest version of phpMyAdmin: 5.2.2-1
Installed version of phpMyAdmin: 5.2.2-1

If you want to update all the available versions run: da build update_versions
[[email protected] html]# da build update_versions
Updating RoundCube
download_cached: using cached '/usr/local/directadmin/custombuild/cache/roundcubemail-1.6.11-complete.tar.gz' file
updating database user da_roundcube@localhost password
Checking for database schema updates...
Updating database schema (2020020101)... [FAILED]
ERROR: Error in DDL upgrade 2020020101: [1091] Can't DROP FOREIGN KEY `user_id_fk_cache`; check that it exists
command_roundcube: failed to compile '/usr/local/directadmin/custombuild/cache/roundcubemail-1.6.11-complete.tar.gz' inside '/usr/local/directadmin/custombuild/tmp/tmp.E5PR1izf8H.roundcubemail-1.6.11-complete.tar.gz'
failed to install Roundcube


im running a mariadb 10.6

 

[Active8]

Post in thread '[BUG] Roundcube update 1.4.11 -> 1.5.0'

Nov 1, 2021

Updating database schema (2020020101)... [FAILED] ERROR: Error in DDL upgrade 2020020101: [1091] Can't DROP 'user_id_fk_cache'; check that column/key exists

Spoken many times on this forum, please search before post

• Active8

• 

 

[freakie]

i know, but they are all old posts concerning upgrading from 1.4 of 1.5 this is a minor update and still it returns this error

 

[zEitEr]

i know, but they are all old posts concerning upgrading from 1.4 of 1.5 this is a minor update and still it returns this error

The error occurs with RoundCube when you have inconsistent data since probably years (existing contacts list, where userID does not exist in the RoundCube user's table any more, etc). There is no easy way to fix it if you want to save existing data such as contacts, user profiles, etc.

If you don't need them, you can simply drop the database da_roundcube and complete a fresh installation of the webmail.

If you need to save the existing data, then you will need:

1. export existing database using phpMyAdmin (for example): only data (without create table instructions), using the scheme:

INSERT INTO `table` VALUES(...)

where every record should have its own INSERT INTO line

Save the instructions into text file on the server (using SSH), into roundcube_data.sql (for example).

2. rename the database da_roundcube to da_roundcubeOLD for example

3. complete a fresh installation of the RoundCube

4. re-import existing data with -f flag

mysql -u da_admin -p --database=da_roundcube -f < roundcube_data.sql

and run this command 2-3 times, to complete import of all records that are still consistent and don't break foreign keys. The command might output INSERT errors. They are most likely safe to be ignored.


p.s. IMPORTANT: It is not a complete guide. I specified only core steps, and intentionally omitted some moments (such as how to ssh to a server, how to write data to a text file in SSH, where to find a da_admin's password, etc) . If you don't know how to run those commands, you'd better get somebody to fix RoundCube for you.