Pro-Russia hackers target inboxes with 0-day in webmail app used by millions
Pro-Russia hackers target inboxes with 0-day in webmail app used by millions
Previously unknown XSS in Roundcube let Winter Vivern steal government emails.
“In summary, by sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window,” ESET researcher Matthieu Faou wrote. “No manual interaction other than viewing the message in a web browser is required.”
The attacks began on October 11, and ESET detected them a day later. ESET reported the zero-day vulnerability to Roundcube developers on the same day, and they issued a patch on October 14. The vulnerability is tracked as CVE-2023-5631 and affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.
You're viewing a single thread.
It's things like this that make me glad that my email service defaults to not loading any images/links/html. There's a small button at the top to load them if I want.