CVE-2024-42009
published 2024-08-05CVE-2024-42009: A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a…
PriorityP186critical9.3CVSS 3.1
AVNACLPRNUIRSCCHIHAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-06-30
Exploited in the wild
EPSS
82.85%
99.6th percentile
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 1.6.5+dfsg-1+deb12u3 (bookworm) | roundcube 1.6.5+dfsg-1+deb12u3 (bookworm) |
| roundcube | webmail | < 1.5.8 | 1.5.8 |
| roundcube | webmail | >= 1.6.0 < 1.6.8 | 1.6.8 |
Detection & IOCsextracted from sources · hover to see the quote
- →Nuclei template detects vulnerable Roundcube versions by extracting the rcversion JSON field from the base URL response and comparing against affected version ranges (1.6.0–1.6.7) ↗
- →Vulnerable version range for detection: Roundcube 1.6.0 through 1.6.7 (also 1.5.x through 1.5.7); match on rcversion field in HTTP response body ↗
- →Shodan/FOFA fingerprinting: search for Roundcube instances via CPE string or session cookie to identify exposed attack surface ↗
- →CVE-2024-42009 was actively exploited by Ghostwriter (UAC-0057/FrostyNeighbor) in phishing campaigns against Polish entities to run malicious JavaScript capturing email login credentials ↗
- →Post-exploitation indicators: after credential capture via XSS, threat actors analyzed mailbox contents, downloaded contact lists, and sent further phishing from compromised accounts ↗
- ·The vulnerability is a desanitization issue specifically in the message_body() function; the XSS is triggered when a victim views a crafted email, requiring user interaction (UI:R in CVSS) ↗
- ·Affected versions: Roundcube through 1.5.7 and 1.6.x through 1.6.7; fixed in 1.6.8 and 1.5.8 ↗
- ·CISA KEV listed with remediation due date 2025-06-30; confirmed in-the-wild exploitation ↗
CVSS provenance
nvdv3.19.3CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
osv9.3CRITICAL
vulncheck9.3CRITICAL
cisa9.3CRITICAL
vendor_debian9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Roundcube Webmail vulnerability
vendor_ubuntu·2025-07-14
CVE-2024-42009 Roundcube Webmail vulnerability
Title: Roundcube Webmail vulnerability
Summary: Roundcube Webmail could be made to expose sensitive information over the
network.
It was discovered that Roundcube Webmail incorrectly handled sanitization in
the message_body function. A remote attacker could possibly use this issue to
send and receive emails as another user.
Instructions: In general, a standard system update will make all the necessary changes.
CISA
RoundCube Webmail Cross-Site Scripting Vulnerability
cisa·2025-06-09·CVSS 9.3
CVE-2024-42009 [CRITICAL] CWE-79 RoundCube Webmail Cross-Site Scripting Vulnerability
Vulnerability: RoundCube Webmail Cross-Site Scripting Vulnerability
Affected: Roundcube Webmail
RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8 ; https://nvd.nist.gov/vuln/detail/CVE-2024-42009
Remediation Due Date: 2025-06-30
Debian
CVE-2024-42009: roundcube - A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x throug...
vendor_debian·2024·CVSS 9.3
CVE-2024-42009 [CRITICAL] CVE-2024-42009: roundcube - A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x throug...
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
Scope: local
bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u3)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u4)
forky: resolved (fixed in 1.6.8+dfsg-1)
sid: resolved (fixed in 1.6.8+dfsg-1)
trixie: resolved (fixed in 1.6.8+dfsg-1)
OSV
CVE-2024-42009: A Cross-Site Scripting vulnerability in Roundcube through 1
osv·2024-08-05·CVSS 9.3
CVE-2024-42009 [CRITICAL] CVE-2024-42009: A Cross-Site Scripting vulnerability in Roundcube through 1
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
GHSA
GHSA-j43g-prf4-578j: A Cross-Site Scripting vulnerability in Roundcube through 1
ghsa_unreviewed·2024-08-05
CVE-2024-42009 [CRITICAL] CWE-79 GHSA-j43g-prf4-578j: A Cross-Site Scripting vulnerability in Roundcube through 1
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
VulnCheck
RoundCube Webmail Cross-Site Scripting Vulnerability
vulncheck·2024·CVSS 9.3
CVE-2024-42009 [CRITICAL] CWE-79 RoundCube Webmail Cross-Site Scripting Vulnerability
RoundCube Webmail Cross-Site Scripting Vulnerability
RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
Affected: Roundcube Roundcube Webmail
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://cert.pl/en/posts/2025/06/unc1151-campaign-roundcube/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/; https://asset
Suricata
ET WEB_SPECIFIC_APPS Roundcube Webmail Cross-Site Scripting (CVE-2024-42009)
suricata·2026-01-08·CVSS 9.3
CVE-2024-42009 [CRITICAL] ET WEB_SPECIFIC_APPS Roundcube Webmail Cross-Site Scripting (CVE-2024-42009)
ET WEB_SPECIFIC_APPS Roundcube Webmail Cross-Site Scripting (CVE-2024-42009)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Roundcube Webmail Cross-Site Scripting (CVE-2024-42009)"; flow:established,to_server; http.request_body; content:"message|3d|"; pcre:"/^.*?\x3cbody\x20[^\x3e]*?\x20on[a-z]+\x3d/R"; content:"email|3d|"; content:"content|3d|html"; fast_pattern; content:"recipient|3d|"; http.method; content:"POST"; reference:url,www.sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/; reference:cve,2024-42009; classtype:web-application-attack; sid:2066621; rev:1; metadata:affected_product Roundcube, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_08, cve CVE_2024_42009, deployment Perimeter
Nuclei
Roundcube Webmail - Cross-Site Scripting
nuclei·CVSS 9.3
CVE-2024-42009 [CRITICAL] Roundcube Webmail - Cross-Site Scripting
Roundcube Webmail - Cross-Site Scripting
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
Template:
id: CVE-2024-42009
info:
name: Roundcube Webmail - Cross-Site Scripting
author: rxerium
severity: critical
description: |
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
impact: |
Attackers can steal and send victim emails, leading to privacy breach and potenti
CTF
insane / README
ctf_writeups
insane / README
---
layout: default
title: Insane Machines
parent: Machines
nav_order: 4
description: "25+ Insane HTB machine writeups with walkthroughs"
permalink: /machines/insane/
---
# HackTheBox INSANE Difficulty Machines - Complete Reference
> Exhaustive list of ALL known retired Insane-rated HTB machines with key techniques and writeup links.
---
## Linux Insane Machines
| # | Machine | OS | Key Techniques | One-Line Summary | Writeup Links |
|---|---------|----|----|------|------|
| 1 | **Brainfuck** | Linux | WordPress plugin exploit, Vigenere cipher, LXD privesc | Chain WP auth bypass with crypto analysis and container group abuse for root | [0xdf](https://0xdf.gitlab.io/2022/05/16/htb-brainfuck.html), [Medium](https://sparshjazz.medium.com/hackthebox-brainfuck-difficulty-insane-53f0fe650f5
Hackernews
Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike
blogs_hackernews·2026-05-14·CVSS 7.8
CVE-2023-38831 [HIGH] Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike
The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine.
Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. It's also tracked under the monikers FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057, Umbral Bison (formerly RepeatingUmbra), UNC1151, and White Lynx.
"FrostyNeighbor has been running continual cyber operations, changing and updating
https://github.com/roundcube/roundcubemail/releaseshttps://github.com/roundcube/roundcubemail/releases/tag/1.5.8https://github.com/roundcube/roundcubemail/releases/tag/1.6.8https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8https://sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-42009
2024-08-05
Published
2025-06-09
Added to CISA KEV
Exploited in the wild