cbcvebase.
CVE-2024-42008
published 2024-08-05

CVE-2024-42008: A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and…

PriorityP355critical9.3CVSS 3.1
AVNACLPRNUIRSCCHIHAN
EPSS
32.27%
98.1th percentile
A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianroundcube< roundcube 1.6.5+dfsg-1+deb12u3 (bookworm)roundcube 1.6.5+dfsg-1+deb12u3 (bookworm)
roundcubewebmail< 1.5.81.5.8
roundcubewebmail>= 1.6.0 < 1.6.81.6.8
ubunturoundcube

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered via a malicious e-mail attachment served with a dangerous Content-Type header, targeting the rcmail_action_mail_get->run() code path in Roundcube
  • Monitor Roundcube mail attachment fetch requests (rcmail_action_mail_get) for responses with unexpected or dangerous Content-Type headers that could enable script execution in the browser
  • ·Affected versions are Roundcube through 1.5.7 and 1.6.x through 1.6.7; fixed in 1.6.8 (upstream) and respective Debian backport versions
  • ·Scope is listed as local in the Debian security tracker, meaning exploitation requires delivery of a crafted email to a victim whose Roundcube instance is reachable

CVSS provenance

nvdv3.19.3CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_ubuntu7.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.