CVE-2024-42009
CVE-2024-42009
In short
Roundcube email clients versions up to 1.5.7 and 1.6.x up to 1.6.7 have a flaw where specially crafted emails can inject malicious code that runs in a victim's browser, allowing attackers to steal and send emails on their behalf.
Technical detail
A Cross-Site Scripting (XSS) vulnerability exists in the message_body() function of program/actions/mail/show.php due to improper desanitization of email content. An attacker can deliver a crafted email message that executes arbitrary JavaScript in the victim's browser context, enabling email theft and unauthorized message transmission. The vulnerability requires the victim to open the malicious email.
Summary generated and translated by AI from the official description.
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Affected products
n/a · n/apublic PoCs found — 6
githubgithub.com/DaniTheHack3r/CVE-2024-42009-PoC★ 7githubgithub.com/0xbassiouny1337/CVE-2024-42009★ 4githubgithub.com/Bhanunamikaze/CVE-2024-42009★ 1githubgithub.com/ZaidArif47/CVE-2024-42009★ 1githubgithub.com/Shubhankargupta691/CVE-2024-42009★ 0githubgithub.com/segunakinsoyinu/CVE-2024-42009-roundcube-xss★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/roundcube/roundcubemail/releaseshttps://github.com/roundcube/roundcubemail/releases/tag/1.5.8https://github.com/roundcube/roundcubemail/releases/tag/1.6.8https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8https://sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-42009