Security News > 2024 > August > Roundcube flaws allow easy email account compromise (CVE-2024-42009, CVE-2024-42008)
Two cross-site scripting vulnerabilities affecting Roundcube could be exploited by attackers to steal users' emails and contacts, email password, and send emails from their account.
"No user interaction beyond viewing the attacker's email is required to exploit. For CVE-2024-42008, a single click by the victim is needed for the exploit to work, but the attacker can make this interaction unobvious for the user," Sonar vulnerability researcher Oskar Zeino-Mahmalat noted.
"When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim's browser. Attackers can gain a persistent foothold in the victim's browser across restarts, allowing them to exfiltrate emails continuously or steal the victim's password the next time it is entered."
"We strongly advise Roundcube administrators to apply the latest patch, version 1.6.8, or 1.5.8, as soon as possible to protect their organization's users. Users who suspect that they are affected should change their email password and additionally clear the site data of the Roundcube site they are using in their browser."
Since late 2023, Roundcube maintainers have been steadily fixing a number of XSS vulnerabilities.
In February 2024, CISA ordered US federal government agencies to plug a Roundcube XSS flaw exploited by unknown attackers.
News URL
https://www.helpnetsecurity.com/2024/08/07/cve-2024-42009-cve-2024-42008/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-05 | CVE-2024-42008 | Cross-site Scripting vulnerability in Roundcube Webmail A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. | 9.3 |