CVE-2024-42010
Advisory lineage Upstream: 0 Downstream: 7
Deferred
Published: 05 Aug 2024, 00:00
Last modified:12 Aug 2024, 13:42
Vulnerability Summary
Overall Risk (default)
medium
33/100 CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
14.76% MEDIUM
15% probability -2.49%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
05 Aug 2024, 00:00
Published
Vulnerability first disclosed
12 Aug 2024, 13:42
Last Modified
Vulnerability information updated
Description
mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Trends
Current EPSS score: 14.76%• Percentile: 95%
Techniques & Countermeasures
- CWE-200•Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
References (5)
- https://github.com/roundcube/roundcubemail/releases
- https://sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.8
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.8
- https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8