Roundcube Webmail Style Sanitizer can be bypassed using CSS Character Escapes
Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3443563 by somerandomdev
Summary:
The style sanitizer in Roundcube Webmail can be bypassed by creating HTML entities using CSS character escapes. This allows using arbitrary inline CSS, like e.g. url(), and retrieve the IP address and user agent of the person reading the email.
Related Writeups
pyus3r[EN] Public Exposure of Internal API Models (.smd)
This writeup details an Information Disclosure (CWE-200) vulnerability that allowed viewing the source code and complete domain model mapping of a corporate backend.
pyus3r[ES] Public Exposure of Internal API Models (.smd)
Este writeup detalla una vulnerabilidad de **Exposición de Información (Information Disclosure - CWE-200)** que permitía visualizar el código fuente y el mapeado completo de los modelos de dominio de un backend corporativo.
pyus3r[EN] Sensitive Data Exposure via JSON-RPC (Whistleblowing Channel)
An unprotected endpoint allowed the exfiltration, via a simple unauthenticated POST request, of gigabytes of configurations, structural metadata, and private personal/corporate information belonging to the organizations using the software.