CVE-2019-17625

Vulnerability

Overview

CVE-2019-17625 is a stored cross-site scripting (XSS) vulnerability in Rambox version 0.6.9, a messaging and emailing application built on Electron. The flaw resides in the service name field during addition or editing of a service. Input sanitization is insufficient, allowing arbitrary HTML and JavaScript to be stored and later executed when the service list is rendered [1][3].

Exploitation

Details

An attacker can inject a payload such as ` into the name field. Because Rambox runs on Node.js and Electron, the injected JavaScript can access Node.js APIs, including require('child_process').exec`. This enables execution of arbitrary operating system commands on the host machine. The stored XSS triggers automatically for any user who views the affected service list, requiring no additional interaction beyond opening the application [3][4].

Impact

Successful exploitation grants the attacker full remote code execution with the privileges of the Rambox process. This can lead to data exfiltration, installation of malware, or complete compromise of the user's system. The vulnerability is particularly severe because it combines stored XSS with Node.js integration, bypassing typical browser sandbox restrictions [1][3].

Mitigation

The Rambox Community Edition, including version 0.6.9, is no longer maintained and has reached end-of-life (EOL). Users are strongly advised to upgrade to the current Rambox Pro version, which offers a free plan and includes security fixes. No official patch for the community edition exists [2].