Roundcube's HTML sanitizer doesn't treat SVG feImage href as an image source. Attackers can bypass remote image blocking to track email opens.

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

Roundcube Webmail versions before 1.5.13 and 1.6.13 contained a vulnerability where the HTML sanitizer failed to block remote image loads through SVG feImage elements. While the sanitizer correctly blocked external resources on img, image, and use tags, it routed feImage href attributes through the wrong code path (wash_link instead of is_image_attribute), allowing attackers to bypass the "Block remote images" setting and track email opens. The fix adds feImage to the regex pattern that identifies image-bearing SVG elements, ensuring remote URLs are properly blocked.

Roundcube Webmail <1.5.13 / <1.6.13 allows attackers to force remote image loads via SVG feImage