CVE-2024-42008 — Cross-site Scripting in Webmail

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

9.3CRITICALNVD

EPSS

57.3%

top 1.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Roundcube Webmail

Timeline

PublishedAug 5

Description

A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.8

Affected Packages1 packages

▶NVDroundcube/webmail1.6.0 — 1.6.8+1

🔴Vulnerability Details

GHSA

GHSA-78jf-j6qx-c7j3: A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1↗2024-08-05

▶

OSV

CVE-2024-42008: A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1↗2024-08-05

▶

CVEList

CVE-2024-42008: A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1↗2024-08-05

▶

📋Vendor Advisories

Debian

CVE-2024-42008: roundcube - A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcu...↗2024

▶