CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-42009: A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a...

Description

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.

Known Exploited

🚨 Marked as known exploited on June 9th, 2025 (4 days ago).

Classification

CVE ID: CVE-2024-42009

Affected Products

Vendor: n/a

Product: n/a

Exploit Prediction Scoring System (EPSS)

EPSS Score: 49.7% (probability of being exploited)

EPSS Percentile: 97.6% (scored less or equal to compared to others)

EPSS Date: 2025-04-11 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-42009
https://github.com/roundcube/roundcubemail/releases
https://sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/
https://github.com/roundcube/roundcubemail/releases/tag/1.5.8
https://github.com/roundcube/roundcubemail/releases/tag/1.6.8
https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8

Timeline

2025-03-13 16:40:15 UTC
CVE

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a...
2025-06-09 17:45:11 UTC
CISA KEV

RoundCube Webmail Cross-Site Scripting Vulnerability
2025-06-09 17:46:11 UTC
🚨 Marked as Known Exploited