Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3594137 by aikido_security
The compose attachments preview endpoint renders user-uploaded HTML files inline without a restrictive Content Security Policy, allowing JavaScript execution. By uploading an HTML file and opening it via display-attachment, the script runs in the Roundcube origin. Attacking a user is only possible by setting cookies on the domain, which can be done from any subdomain of the site where Roundcube is hosted.
C:\Windows\System32\drivers\etc\hosts on Windows or /etc/hosts on Unix to contain the following entries:No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In