CVE-2024-42009

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*

History

06 Sep 2024, 21:50

Type Values Removed Values Added
CWE CWE-79
First Time Roundcube
Roundcube webmail
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.3
CPE cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
References () https://github.com/roundcube/roundcubemail/releases - () https://github.com/roundcube/roundcubemail/releases - Release Notes
References () https://github.com/roundcube/roundcubemail/releases/tag/1.5.8 - () https://github.com/roundcube/roundcubemail/releases/tag/1.5.8 - Release Notes
References () https://github.com/roundcube/roundcubemail/releases/tag/1.6.8 - () https://github.com/roundcube/roundcubemail/releases/tag/1.6.8 - Release Notes
References () https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8 - () https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8 - Vendor Advisory
References () https://sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/ - () https://sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/ - Technical Description

06 Aug 2024, 16:30

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad de Cross-Site Scripting en Roundcube hasta 1.5.7 y 1.6.x hasta 1.6.7 permite a un atacante remoto robar y enviar correos electrónicos de una víctima a través de un mensaje de correo electrónico manipulado que abusa de un problema de desanitización en message_body() en program/actions/mail/show.php.

05 Aug 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-05 19:15

Updated : 2024-09-06 21:50


NVD link : CVE-2024-42009

Mitre link : CVE-2024-42009

CVE.ORG link : CVE-2024-42009


JSON object : View

Products Affected

roundcube

  • webmail
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')