Threat actors could leverage a trio of security flaws impacting webmail software Roundcube to target web browsers with malicious JavaScript that could facilitate the exfiltration of sensitive information, including emails, credentials, and contacts, The Hacker News reports.
Included in the severe Roundcube vulnerabilities were the cross-site scripting issues, tracked as CVE-2024-42008 and CVE-2024-42009, as well as the information disclosure bug, tracked as CVE-2024-42010, an analysis from Sonar revealed. "For a successful attack, no user interaction beyond viewing the attacker's email is required to exploit the critical XSS vulnerability (CVE-2024-42009). For CVE-2024-42008, a single click by the victim is needed for the exploit to work, but the attacker can make this interaction unobvious for the user," said Sonar researcher Oskar Zeino-Mahmalat. On the other hand, attackers were noted by security researcher 0xzon1 to potentially exploit the maximum severity local privilege escalation vulnerability in the open-source project RaspAP to achieve root privileges and command execution.
