Roundcube Webmail Remote Image Blocking Bypass Vulnerability via SVG Animate Attributes

A vulnerability exists in Roundcube Webmail versions prior to 1.5.14 and 1.6.14, as well as in the 1.7 release candidate versions prior to 1.7-rc6. The issue allows for the bypass of the remote image blocking feature by exploiting SVG content that includes animate attributes, potentially leading to information disclosure or an access-control bypass.

Impact

Exploitation of this vulnerability can result in a bypass of the remote image blocking feature, allowing SVG content with animate attributes to be processed. This could lead to unauthorized access to information or a violation of access controls, depending on the context in which the vulnerability is exploited.

Reproduction

To reproduce this vulnerability, send an email containing SVG images with specific animate attributes that could manipulate the email client's handling of the images. Once the email is received, the SVG animations could potentially trigger the bypass of the image blocking feature, depending on the email client's SVG handling.

Remediation

Users can update to Roundcube Webmail versions 1.5.14, 1.6.14, or 1.7-rc6, all of which include the necessary fix. Instructions for updating are available on the Roundcube website.