Skip to main content

Updates address three vulnerabilities that could lead to theft of emails and contacts

Threat ID:CC-4535
Threat Severity:Medium
Published:8 August 2024 2:38 PM

Summary

Updates address three vulnerabilities that could lead to theft of emails and contacts

Affected platforms

The following platforms are known to be affected:

Versions: All prior to 1.6.8 | All prior to 1.5.8
Roundcube Webmail

Threat details

Proof-of-concept for CVE-2024-42009 & CVE-2024-42008

A video demonstration proof-of-concept has been published by a security researcher without technical details. NHS National CSOC assess these vulnerabilities are likely to be exploited. 


Introduction

Roundcube has released security updates for its webmail product addressing two cross-site scripting (XXS) vulnerabilities. Roundcube webmail is a free and open-source webmail solution with a desktop-like user interface which runs on a standard LAMPP (Linux, Apache, MySQL/MariaDB, PHP, PHPMyAdmin) server. 

The updates address vulnerabilities CVE-2024-42009 and CVE-2024-42008, which an unauthenticated attacker could exploit to steal emails or contacts and send emails from the victims account. Additionally, vulnerability CVE-2024-42010 could allow an attacker to access sensitive information.

Remediation advice

Affected organisations are encouraged to review the security updates 1.6.8 and 1.5.8 and apply the relevant updates.

Definitive source of threat updates

CVE Vulnerabilities

StatusPublished
CVE-2024-42009A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
StatusPublished
CVE-2024-42008A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
StatusPublished
CVE-2024-42010mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information.

Last edited: 8 August 2024 2:38 pm

Back to top