VDB
DEBIAN-CVE-2024-42009
DEBIAN-CVE-2024-42009
PUBLISHED
CVSS 9.300000190734863 CRITICAL
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
Risk Scores
CVSS 3.1
9.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:11 | roundcube | 0, *, 1.4.11+dfsg.1-4 |
| Debian:14 | roundcube | 0 |
| Debian:12 | roundcube | 1.6.1+dfsg-1, 1.6.2+dfsg-1, 1.6.3+dfsg-1~deb12u1 |
| Debian:13 | roundcube | 0, 0 |
Exploit Intelligence
- segunakinsoyinu/CVE-2024-42009-roundcube-xss (github-poc-repo)
- segunakinsoyinu/CVE-2024-42009-roundcube-xss (github-poc)
- This script exploits a stored XSS vulnerability (CVE-2024-42009) in Roundcube Webmail version 1.6.7. It injects a malicious payload into the webmail system, which, when triggered, exfiltrates email content from the victim’s inbox. (github-poc-repo)
- This Proof of Concept (PoC) demonstrates an exploit for CVE-2024-42009, leveraging a cross-site scripting (XSS) vulnerability to extract emails from a target webmail application. The attack injects a malicious payload that exfiltrates email content to an attacker-controlled listener. (github-poc-repo)
- The scripts in this repository are made to abuse CVE-2024-42008 and CVE-2024-42009. Both of these CVEs are vulnerabilities found on Roundcube 1.6.7 (github-poc-repo)
- CVE-2024-42009 Proof of Concept (github-poc-repo)
- Shubhankargupta691/CVE-2024-42009 (github-poc-repo)
- ZaidArif47/CVE-2024-42009 (github-poc-repo)
- ZaidArif47/CVE-2024-42009 (github-poc)
- Shubhankargupta691/CVE-2024-42009 (github-poc)
…and 10 more exploits
Timeline
- Aug 5, 2024 CVE Published
- May 10, 2026 CVE Updated