CVE-2024-42008
Advisory lineage Upstream: 0 Downstream: 7
Modified
Published: 05 Aug 2024, 00:00
Last modified:13 Mar 2025, 15:35
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.3 CRITICAL
v3.1 (cve.org)
EPSS Score
57.25% CRITICAL
57% probability -1.32%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
05 Aug 2024, 00:00
Published
Vulnerability first disclosed
13 Mar 2025, 15:35
Last Modified
Vulnerability information updated
Description
A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
CVSS Metrics
- v3.1•CRITICAL•Score: 9.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Trends
Current EPSS score: 57.25%• Percentile: 98%
Techniques & Countermeasures
- CWE-79•Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Affected Systems
- Unknown•Webmail
< 1.5.8 | ≥ 1.6.0, < 1.6.8
References (5)
- https://github.com/roundcube/roundcubemail/releases
- https://sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.8
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.8
- https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8