Who and When:

• ESET Research highlighted that similar vulnerabilities were previously exploited by the Winter Vivern APT group to target European government entities.
• Sonar’s Vulnerability Research Team recently discovered a critical Cross-Site Scripting (XSS) vulnerability in Roundcube.
• Patches from Roundcube released on August 4, 2024

Our note:

This is a good example of collaboration and reactiveness between researchers (Oskar Zeino-Mahmalat) and vendor (Aleksander Machniak) ! :)

Solution:

If you aree running Roundcube in version 1.6.7 and below, and in version 1.5.7 and below,
you need to follow Roundcube fix here https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8

Credits: Sonar - vulnerability-in-roundcube-webmail
- CVE: CVE-2024-42008
- CVE: CVE-2024-42009