CVE-2024-42008

A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*

History

06 Sep 2024, 21:48

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.3
First Time Roundcube
Roundcube webmail
References () https://github.com/roundcube/roundcubemail/releases - () https://github.com/roundcube/roundcubemail/releases - Release Notes
References () https://github.com/roundcube/roundcubemail/releases/tag/1.5.8 - () https://github.com/roundcube/roundcubemail/releases/tag/1.5.8 - Release Notes
References () https://github.com/roundcube/roundcubemail/releases/tag/1.6.8 - () https://github.com/roundcube/roundcubemail/releases/tag/1.6.8 - Release Notes
References () https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8 - () https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8 - Vendor Advisory
References () https://sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/ - () https://sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/ - Technical Description
CPE cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
CWE CWE-79

06 Aug 2024, 16:30

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad de Cross-Site Scripting en rcmail_action_mail_get->run() en Roundcube hasta 1.5.7 y 1.6.x hasta 1.6.7 permite a un atacante remoto robar y enviar correos electrónicos de una víctima a través de un archivo adjunto de correo electrónico malicioso servido con un archivo peligroso. Encabezado de tipo de contenido.

05 Aug 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-05 19:15

Updated : 2024-09-06 21:48


NVD link : CVE-2024-42008

Mitre link : CVE-2024-42008

CVE.ORG link : CVE-2024-42008


JSON object : View

Products Affected

roundcube

  • webmail
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')