Roundcube Webmail CSS Sanitization Vulnerability Leading to SSRF and Information Disclosure

A vulnerability exists in Roundcube Webmail versions 1.6.0 prior to 1.6.14, and in the 1.7 release candidates, specifically 1.7-rc5 and 1.7-rc6. The issue arises from inadequate sanitization of Cascading Style Sheets (CSS) in HTML email messages. This flaw may allow Server-Side Request Forgery (SSRF) or unauthorized information disclosure, particularly if the stylesheet links reference local network hosts.

Impact

Exploitation of this vulnerability could lead to SSRF, allowing an attacker to make requests to internal services or resources, potentially bypassing network security controls. Additionally, it could result in unauthorized information disclosure from those internal resources.

Reproduction

To reproduce this vulnerability, send an email containing a link to a stylesheet hosted on a local network server. When the email is received and the stylesheet is loaded, the Roundcube application will fetch the stylesheet without proper validation, potentially leading to SSRF or information disclosure.

Remediation

Users can update to Roundcube Webmail versions 1.6.14 or 1.7-rc6, both of which include the necessary fix. Instructions for updating are available in the release notes on the Roundcube GitHub repository.