Previously unknown XSS in Roundcube let Winter Vivern steal government emails.
“In summary, by sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window,” ESET researcher Matthieu Faou wrote. “No manual interaction other than viewing the message in a web browser is required.”
The attacks began on October 11, and ESET detected them a day later. ESET reported the zero-day vulnerability to Roundcube developers on the same day, and they issued a patch on October 14. The vulnerability is tracked as CVE-2023-5631 and affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.
It’s things like this that make me glad that my email service defaults to not loading any images/links/html. There’s a small button at the top to load them if I want.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !technology@lemmy.world
This is a most excellent place for technology news and articles.
It’s things like this that make me glad that my email service defaults to not loading any images/links/html. There’s a small button at the top to load them if I want.
Checks Docker container: 1.6.4
Nice. Thanks, Watchtower.
That is the greatest thumbnail ever.