Oskar Zeino-Mahmalat

**Name of the Vulnerable Software and Affected Versions** Roundcube versions 1.5.0 through 1.5.7 Roundcube versions 1.6.0 through 1.6.7 **Description** The issue is related to the mod css styles function in Roundcube, which insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages. This allows a remote attacker to obtain sensitive information. **Recommendations** For versions 1.5.0 through 1.5.7, update to a version later than 1.5.7 to resolve the issue. For versions 1.6.0 through 1.6.7, update to a version later than 1.6.7 to resolve the issue. As a temporary workaround, consider disabling the mod css styles function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Roundcube versions prior to 1.5.8 Roundcube versions 1.6.0 through 1.6.7 Roundcube versions prior to 1.6.8 Roundcube versions prior to 1.4.15+dfsg.1-1+deb11u4 (Bullseye) Roundcube versions prior to 1.6.5+dfsg-1+deb12u3 (Bookworm) Roundcube versions prior to 1.6.6+dfsg-2ubuntu0.1+esm1 (Ubuntu Pro) **Description** Roundcube webmail is affected by multiple cross-site scripting (XSS) vulnerabilities. A flaw exists in the handling of sanitization within the `message body()` function, potentially allowing a remote attacker to execute malicious JavaScript code when a crafted email message is opened. Successful exploitation could allow an attacker to steal and send emails as another user. Recent reports indicate active exploitation of CVE-2024-42009 in spear phishing campaigns targeting Polish organizations, with UNC1151 linked to these attacks. The vulnerability abuses a deserialization issue in the `message body()` function. The `rcmail action mail get->run()` function is also implicated in the XSS issue. **Recommendations** Roundcube versions prior to 1.5.8: Upgrade to version 1.5.8 or later. Roundcube versions 1.6.0 through 1.6.7: Upgrade to version 1.6.8 or later. Roundcube versions prior to 1.6.6+dfsg-2ubuntu0.1+esm1 (Ubuntu Pro): Update to version 1.6.6+dfsg-2ubuntu0.1+esm1 or later. Roundcube versions prior to 1.4.15+dfsg.1-1+deb11u4 (Bullseye): Upgrade to version 1.4.15+dfsg.1-1+deb11u4 or later. Roundcube versions prior to 1.6.5+dfsg-1+deb12u3 (Bookworm): Upgrade to version 1.6.5+dfsg-1+deb12u3 or later.

**Name of the Vulnerable Software and Affected Versions** Roundcube versions 1.5.7 and earlier, 1.6.x through 1.6.7 **Description** The issue exists due to inadequate protection of the web page structure in the `rcmail action mail get->run()` function of the Roundcube Webmail client. Exploitation of this issue may allow a remote attacker to conduct a cross-site scripting (XSS) attack by sending specially crafted malicious attachments. This can potentially allow the attacker to steal and send emails of a victim via a malicious email attachment served with a dangerous Content-Type header. **Recommendations** For Roundcube versions 1.5.7 and earlier: Update to a version later than 1.5.7 to resolve the issue. For Roundcube versions 1.6.x through 1.6.7: Update to a version later than 1.6.7 to resolve the issue. As a temporary workaround, consider restricting access to the `rcmail action mail get->run()` function until a patch is available. Avoid using dangerous Content-Type headers in email attachments until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Enhancesoft osTicket version 1.18.0 **Description** The issue is related to a Cross Site Scripting vulnerability in the sanitize function, allowing a remote attacker to escalate privileges via a crafted support ticket. This vulnerability is also associated with a common Desanitization code pattern that can lead to serious issues. **Recommendations** For version 1.18.0, consider disabling the sanitize function as a temporary workaround until a patch is available. Restrict access to the support ticket system to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Netgate pfSense version 2.7.0 **Description** The issue is related to a Cross Site Scripting (XSS) vulnerability that allows a remote attacker to gain privileges via a crafted URL to the "getserviceproviders.php" page. This vulnerability is associated with a lack of protection for the web page structure. Exploitation of this issue can enable a remote attacker to elevate their privileges. **Recommendations** For version 2.7.0, consider disabling access to the "getserviceproviders.php" page until a patch is available. Restricting access to this page can help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Netgate pfSense version 2.7.0 **Description** An issue in Netgate pfSense allows a remote attacker to execute arbitrary code via a crafted request to the `interfaces gif edit.php` and `interfaces gre edit.php` components. This is due to the lack of measures to neutralize special elements, which can be exploited by a remote attacker to execute arbitrary commands. **Recommendations** For Netgate pfSense version 2.7.0, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the `interfaces gif edit.php` and `interfaces gre edit.php` components until a patch is available. Avoid using these components in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Netgate pfSense version 2.7.0 Netgate pfSense CE versions 2.7.0 and below Netgate pfSense Plus versions 23.05.1 and below **Description** The issue is related to a Cross Site Scripting (XSS) vulnerability in the status logs filter dynamic.php component of Netgate pfSense. This vulnerability can be exploited by a remote attacker to gain privileges via a crafted URL to the status logs filter dynamic.php page. By combining vulnerabilities, an attacker can force a user to activate an XSS payload and achieve Remote Code Execution (RCE). **Recommendations** For Netgate pfSense version 2.7.0, consider disabling access to the status logs filter dynamic.php page until a patch is available. For Netgate pfSense CE versions 2.7.0 and below, restrict access to the vulnerable component to minimize the risk of exploitation. For Netgate pfSense Plus versions 23.05.1 and below, avoid using the crafted URL to the status logs filter dynamic.php page until the issue is resolved. As a temporary workaround, consider disabling the vulnerable function related to the status logs filter dynamic.php page until a patch is available.