Roundcube Webmail Vulnerability Exploited in Government Attack
securityweekAn XSS vulnerability in Roundcube Webmail has been targeted for code execution against a governmental organization in a CIS country.
A threat actor was caught attempting to exploit a recent vulnerability in Roundcube Webmail against a governmental organization in a Commonwealth of Independent States (CIS) country, cybersecurity firm Positive Technologies reports.
Tracked as CVE-2024-37383 and described as a cross-site scripting (XSS) issue affecting the way Roundcube was handling SVG animate attributes, the bug was patched on May 19 in Roundcube Webmail versions 1.5.7 and 1.6.7.
According to Positive Technologies, the targeted entity received an email message that only contained an attachment, without a text body. The message was sent in June.
The email client, the cybersecurity firm says, did not show the attachment, and the email body contained distinctive tags and a statement to decode and execute JavaScript code.
“The distinctive attribute name (attributeName=“href ”), containing ...
Copyright of this story solely belongs to securityweek . To see the full text click HERE