CVE-2025-68460
📋 TL;DR
Roundcube Webmail contains an information disclosure vulnerability in its HTML style sanitizer that could allow attackers to extract sensitive data from email content. This affects all Roundcube installations running versions before 1.5.12 or 1.6 before 1.6.12. The vulnerability requires an attacker to send specially crafted HTML emails to target users.
💻 Affected Systems
- Roundcube Webmail
📦 What is this software?
Webmail by Roundcube
Webmail by Roundcube
⚠️ Risk & Real-World Impact
Worst Case
Attackers could extract sensitive information from email content including passwords, tokens, or confidential business data by sending malicious HTML emails to users.
Likely Case
Information leakage of email content that may include personal data, authentication tokens, or other sensitive information visible in HTML-styled emails.
If Mitigated
Limited impact with proper email filtering and user awareness about suspicious HTML emails.
🎯 Exploit Status
Exploitation requires sending specially crafted HTML emails to target users. Attackers need to bypass the HTML sanitizer to extract information.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.12 or 1.6.12
Vendor Advisory: https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12
Restart Required: Yes
Instructions:
1. Backup your Roundcube installation and database. 2. Download the patched version from roundcube.net. 3. Replace the existing installation with the patched version. 4. Restart your web server. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable HTML email rendering
allConfigure Roundcube to display emails in plain text only, bypassing the vulnerable HTML sanitizer.
Edit config/config.inc.php and set: $config['prefer_html'] = false;
Implement external email filtering
allUse external email security gateways to filter and sanitize HTML content before it reaches Roundcube.
🧯 If You Can't Patch
- Implement strict email filtering at the network perimeter to block suspicious HTML content
- Educate users about the risks of HTML emails and encourage plain text viewing
🔍 How to Verify
Check if Vulnerable:
Check your Roundcube version by viewing the index.php page source or checking the version in the admin interface.Check Version:
grep -r 'Version' /path/to/roundcube/program/include/iniset.php | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+'Verify Fix Applied:
Verify the version number shows 1.5.12 or higher for 1.5.x branch, or 1.6.12 or higher for 1.6.x branch.📡 Detection & Monitoring
Log Indicators:
- Unusual HTML parsing errors in Roundcube logs
- Multiple failed sanitization attempts
Network Indicators:
- Unusual HTML content in incoming emails with complex style attributes
SIEM Query:
source="roundcube.logs" AND ("sanitizer" OR "html parse" OR "style attribute") AND (error OR warning)