cbcvebase.
CVE-2024-42009
published 2024-08-05

CVE-2024-42009: A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a…

PriorityP186critical9.3CVSS 3.1
AVNACLPRNUIRSCCHIHAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-06-30
Exploited in the wild
EPSS
82.85%
99.6th percentile
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianroundcube< roundcube 1.6.5+dfsg-1+deb12u3 (bookworm)roundcube 1.6.5+dfsg-1+deb12u3 (bookworm)
roundcubewebmail< 1.5.81.5.8
roundcubewebmail>= 1.6.0 < 1.6.81.6.8

Detection & IOCsextracted from sources · hover to see the quote

pathprogram/actions/mail/show.php
  • Nuclei template detects vulnerable Roundcube versions by extracting the rcversion JSON field from the base URL response and comparing against affected version ranges (1.6.0–1.6.7)
  • Vulnerable version range for detection: Roundcube 1.6.0 through 1.6.7 (also 1.5.x through 1.5.7); match on rcversion field in HTTP response body
  • Shodan/FOFA fingerprinting: search for Roundcube instances via CPE string or session cookie to identify exposed attack surface
  • CVE-2024-42009 was actively exploited by Ghostwriter (UAC-0057/FrostyNeighbor) in phishing campaigns against Polish entities to run malicious JavaScript capturing email login credentials
  • Post-exploitation indicators: after credential capture via XSS, threat actors analyzed mailbox contents, downloaded contact lists, and sent further phishing from compromised accounts
  • ·The vulnerability is a desanitization issue specifically in the message_body() function; the XSS is triggered when a victim views a crafted email, requiring user interaction (UI:R in CVSS)
  • ·Affected versions: Roundcube through 1.5.7 and 1.6.x through 1.6.7; fixed in 1.6.8 and 1.5.8
  • ·CISA KEV listed with remediation due date 2025-06-30; confirmed in-the-wild exploitation

CVSS provenance

nvdv3.19.3CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
osv9.3CRITICAL
vulncheck9.3CRITICAL
cisa9.3CRITICAL
vendor_debian9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.