id: CVE-2024-42009 info: name: Roundcube Webmail - Cross-Site Scripting author: rxerium severity: critical description: | A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. impact: | Attackers can steal and send victim emails, leading to privacy breach and potential further exploitation. remediation: | Update to the latest version of Roundcube, version 1.6.8 or later. reference: - https://github.com/roundcube/roundcubemail/releases - https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8 - https://nvd.nist.gov/vuln/detail/CVE-2024-42009 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N cvss-score: 9.3 cve-id: CVE-2024-42009 epss-score: 0.90482 epss-percentile: 0.99626 cwe-id: CWE-79 cpe: cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 shodan-query: cpe:"cpe:2.3:a:roundcube:webmail" fofa-query: "roundcube_sessid" tags: cve,cve2024,roundcube,xss,vkev,passive,kev,vuln http: - method: GET path: - "{{BaseURL}}" extractors: - type: regex name: major group: 1 regex: - '"rcversion":(\d)' internal: true - type: regex name: minor group: 1 regex: - '"rcversion":\d\d(\d)' internal: true - type: regex name: patch group: 1 regex: - '"rcversion":\d\d\d(\d+)' internal: true - type: dsl name: version dsl: - major + "." + minor + "." + patch internal: true - type: dsl dsl: - '"Roundcube Version: "+ version' matchers-condition: and matchers: - type: dsl dsl: - compare_versions(version, '<= 1.5.7') - compare_versions(version, '>= 1.6.0', '<= 1.6.7') condition: or - type: word part: body words: - "Roundcube" - type: status status: - 200 # digest: 4a0a0047304502200cb8c273ab98320f9badb740f87c6281f6b1f5bbd8793df172e32cbed6357307022100c159f1181849510714e62b010cd4e24cdea7516fd9d98556be8dff4476f0a9b8:922c64590222798bb761d5b6d8e72950