Email Stealing Vulnerability in Roundcube
CVE-2024-42008

9.3CRITICAL

Key Information:

Vendor

Roundcube

Status
Webmail
Vendor
CVE Published:
5 August 2024

Badges

👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2024-42008?

A Cross-Site Scripting (XSS) vulnerability exists in the rcmail_action_mail_get->run() function of Roundcube Webmail, affecting versions up to 1.6.7 and 1.5.7. This vulnerability enables a remote attacker to compromise the email account of a victim by exploiting a malicious email attachment that contains an unsafe Content-Type header. Successful exploitation can lead to unauthorized access to the victim's emails, allowing attackers to send and potentially steal sensitive information.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Roundcube-CVE-2024-42008-and-CVE-2024-42010-POC
Created by victoni

News Articles

favicon imageHelp Net Security

Roundcube flaws allow easy email account compromise (CVE-2024-42009, CVE-2024-42008) - Help Net Security

Roundcube XSS vulnerabilities (CVE-2024-42009, CVE-2024-42008) could be exploited to steal users' emails and contacts, and send emails.

References

https://github.com/roundcube/roundcubemail/releases
https://sonarsource.com/blog/government-emails-at-risk-cr...
https://github.com/roundcube/roundcubemail/releases/tag/1...

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by Help Net Security

  • Vulnerability published

  • Vulnerability Reserved

.