Cross-Site Scripting vulnerability in Roundcube
CVE-2024-42009
Key Information:
Badges
What is CVE-2024-42009?
A Cross-Site Scripting vulnerability exists in Roundcube Webmail versions up to 1.5.7 and 1.6.x before 1.6.8. This vulnerability allows a remote attacker to execute malicious scripts in the context of the user's session. By crafting a malicious email, an attacker can exploit desanitization issues in the message_body() function located in program/actions/mail/show.php, potentially gaining access to sensitive user information and enabling the theft of emails. This poses significant risks for individuals and organizations relying on Roundcube for their email communications.
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Help Net SecurityReferences
EPSS Score
30% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 📰
First article discovered by Help Net Security
Vulnerability published
Vulnerability Reserved