CVE-2024-57004
Published: 03 February 2025
Summary
CVE-2024-57004 is a medium-severity Basic XSS (CWE-80) vulnerability in Roundcube Webmail. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53483
Vulnerability details
Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting the SENT session.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS vulnerability allows authenticated attackers to inject malicious JavaScript payloads via email attachments, enabling exploitation of public-facing webmail (T1190), client-side code execution (T1203), JavaScript interpretation (T1059.007), and theft of web session cookies when victims view the sent folder (T1539).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.