Roundcube Webmail HTML Sanitization Vulnerability Allowing CSS Injection via SVG Animation

A vulnerability exists in Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7, due to inadequate HTML sanitization. This flaw could enable Cascading Style Sheets (CSS) injection through an SVG document containing an animate element with the attributeName attribute. The issue arises because the HTML sanitizer fails to properly handle certain SVG animations, allowing malicious users to inject harmful styles that could be executed when the SVG is rendered.

Impact

Exploitation of this vulnerability could lead to CSS injection, allowing attackers to manipulate the appearance of the webmail interface or potentially execute more harmful actions, such as JavaScript injection, if the injected CSS is used in a way that executes scripts.

Reproduction

To reproduce this vulnerability, create an SVG document that includes an animate element. Set the attributeName to 'style' and use the values attribute to inject CSS, such as 'filter:url(http://external.site)' or 'width:expression(alert(1))'. When this SVG is processed by Roundcube Webmail, the HTML sanitizer should fail to block the animation, allowing the CSS injection to occur. This can be tested by uploading the SVG into a context that the application does not properly sanitize, such as the subject field of the draft restore dialog.

Remediation

Users are advised to update to Roundcube Webmail versions 1.6.16 or 1.7.1, both of which include the necessary fix. Instructions for downloading these versions are available on the Roundcube GitHub release pages.