CVSS 7.5HIGH
The severity is rated HIGH due to the potential for widespread exploitation through phishing attacks and unauthorized tracking of email communications. Real-world exploitability in homelab environments is relatively high, as long as the attacker can craft emails targeting specific vulnerabilities within Roundcube Webmail's input handling.

Roundcube Webmail, a popular web-based email client, has been identified to contain three new sanitizer bypass vulnerabilities. These vulnerabilities allow attackers to inject malicious content into emails, thereby enabling various attacks such as email tracking and phishing. The vulnerabilities arise due to incomplete sanitization of user inputs, specifically within the HTML rendering engine used by Roundcube Webmail. This flaw can be exploited by crafting specially formatted emails that contain embedded scripts or links designed to bypass the existing input validation mechanisms. Exploitation could lead to unauthorized access, data exfiltration, and manipulation of email content on behalf of users, potentially compromising their communication security.

Affected Systems
  • Roundcube Webmail versions before 1.5.0
Affected Versions: all versions before 1.5.0
Remediation
  • Upgrade to the latest version of Roundcube Webmail (version 1.5.0 or higher) by running the command `composer update roundcube/roundcubemail --with-dependencies`.
  • Review and apply any security patches provided for your specific environment, found in the official release notes or changelog available at https://github.com/roundcube/roundcubemail/releases
  • Ensure that all dependencies are also up to date by checking their respective update channels.
Stack Impact

The impact on common homelab stacks is significant for those using Roundcube Webmail as an integrated component. Affected stacks include configurations running nginx, Apache web servers with PHP versions compatible with Roundcube's requirements (PHP 7.2+), and databases such as MySQL or PostgreSQL.

Source →