Roundcube Webmail Security Updates Patch Critical Vulner

Critical security patches have been released for Roundcube Webmail, a widely used open-source web-based IMAP email client. Version 1.6.14 addresses multiple severe vulnerabilities found within the 1.6.x branch.

The release resolves a complex range of security issues, spanning from pre-authentication arbitrary file write risks to cross-site scripting (XSS) and server-side request forgery (SSRF).

System administrators are strongly urged to apply this update to protect their communication infrastructure from potential exploitation by threat actors.

Critical Vulnerabilities Addressed

The most severe vulnerability patched in this release involves a pre-authentication arbitrary-file-write flaw. Discovered by security researcher y0us, this issue stems from unsafe deserialization in the Redis and Memcached session handlers.

Because this flaw does not require an attacker to authenticate, it poses a significant risk for unauthenticated remote code execution on vulnerable web servers.

If exploited, attackers could gain complete control over the application environment. Additionally, the update patches an SSRF and information disclosure vulnerability.

Reported by Georgios Tsimpidas, this flaw allowed attackers to exploit stylesheet links to access hosts on the local network.

This vulnerability could enable threat actors to map internal network architectures or extract sensitive data from hidden internal services that are normally shielded from the public internet.

Version 1.6.14 also resolves a critical logical bug in the account management mechanisms. Security researcher flydragon777 reported an issue where attackers could successfully change an account password without providing the old password.

This severely undermined account security and could lead to complete account takeovers if an active session was temporarily hijacked.

Furthermore, the Martila Security Research Team identified a combined IMAP injection and Cross-Site Request Forgery (CSRF) bypass vulnerability located within the mail search functionality.

This flaw could allow malicious actors to manipulate backend mail server commands and perform unauthorized actions on behalf of a currently authenticated user.

Client-Side Security Bypasses

The development team addressed several client-side vulnerabilities that could allow malicious payloads to be executed or tracked within the victim’s browser.

An XSS vulnerability present in the HTML attachment preview feature was successfully patched after being reported by aikido_security. Multiple methods used to bypass remote image blocking were also fixed.

A researcher known as nullcathedral reported bypasses utilizing various SVG animate attributes and crafted body background attributes.

Blocking remote images is a vital privacy feature that prevents email senders from using tracking pixels to confirm if an email was opened.

The same researcher also identified a flaw that allowed bypassing fixed-position mitigations via misuse of the CSS important rule, which has now been firmly resolved.

Beyond the extensive list of security fixes, version 1.6.14 includes a functional patch resolving issues with PostgreSQL database connections utilizing IPv6 addresses.

The Roundcube development team considers this release highly stable. They recommend that administrators immediately update all production installations of Roundcube 1.6. x to secure their environments.

System administrators must securely back up all database and application data before initiating the upgrade process to prevent unexpected data loss.

The update packages, cryptographic signatures, and source code are currently available for download on the official Roundcube GitHub repository.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.