Roundcube Webmail Fixed-Position Mitigation Bypass Vulnerability via !important

A vulnerability allowing a fixed-position mitigation bypass has been identified in Roundcube Webmail versions prior to 1.5.14 and 1.6.14. This issue arises from inadequate sanitization of Cascading Style Sheets (CSS) in HTML email messages, which can be exploited by using the !important declaration to override styling rules. The vulnerability was reported by nullcathedral.

Impact

Exploitation of this vulnerability allows for a bypass of the fixed-position mitigation, potentially leading to unintended layout or styling changes in the webmail interface.

Reproduction

The vulnerability can be reproduced by sending an HTML email that includes CSS styles with the 'position' property set to 'fixed', using the !important declaration to override any existing styles. When the email is viewed in Roundcube Webmail, the styling should be applied as 'absolute' instead of 'fixed', indicating that the mitigation has been bypassed.

Remediation

Users can update to Roundcube Webmail versions 1.5.15, 1.6.14, or 1.7-rc6, all of which include the necessary fix. Instructions for updating are available on the Roundcube website.