CVE-2024-42008
Published: 05 August 2024
Summary
CVE-2024-42008 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Roundcube Webmail. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-42008 is a reflected cross-site scripting flaw (CWE-79) located in the rcmail_action_mail_get->run() handler of Roundcube webmail. The vulnerability affects all releases through 1.5.7 and the 1.6.x branch through 1.6.7; it is triggered when an email attachment is rendered using a dangerous Content-Type header that causes the browser to execute attacker-supplied script in the Roundcube origin.
An unauthenticated remote attacker can exploit the issue by sending a victim a single malicious message containing a crafted attachment. When the recipient opens the message or preview pane, the injected script runs with the user’s Roundcube session privileges, allowing the attacker to exfiltrate message contents, forward or delete mail, and perform other actions within the compromised mailbox.
Roundcube has published patched releases 1.5.8 and 1.6.8 that correct the unsafe header handling; administrators are advised to upgrade immediately. The accompanying security announcements and GitHub release notes contain the precise commit references and upgrade guidance.
The CVE carries a CVSS 3.1 score of 9.3 and an EPSS value that has reached a peak of 0.5857 (current 0.5095). A SonarSource analysis highlights exposure of government mail systems, underscoring the practical impact of the flaw.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-39390
Vulnerability details
A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.