Security News

Cybersecurity news aggregator

🔓
MEDIUM Vulnerabilities Web Discovery

Roundcube Webmail 1.6.x < 1.6.8 Multiples Vulnerabilities

roundcubewebmailxsscve-2024-42008cve-2024-42009
  • What: Multiple XSS and information exposure vulnerabilities have been identified in Roundcube Webmail versions 1.6.x before 1.6.8.
  • Impact: An attacker could potentially execute arbitrary code or access sensitive information via crafted email messages.
  • Affected: Roundcube Webmail versions 1.6.x before 1.6.8.
  • Patch: Upgrade to Roundcube Webmail version 1.6.8 or later.
Read Full Article →

Roundcube Webmail 1.6.x < 1.6.8 Multiples Vulnerabilities critical Web App Scanning Plugin ID 114555 Language: Synopsis Roundcube Webmail 1.6.x < 1.6.8 Multiples Vulnerabilities Description According to its self-reported version number, Roundcube Webmail is prior to 1.5.8 or 1.6.x prior to 1.6.8. Therefore, it may be affected by multiple vulnerabilities : - A Cross-Site Scripting (XSS) in rcmail_action_mail_get->run(). - A Cross-Site Scripting (XSS) via a crafted e-mail message that abuses a desanitization issue in message_body() in program/actions/mail/show.php. - An Exposure of Sensitive Information through insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Upgrade to Roundcube Webmail version 1.6.8 or later. See Also https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8 Plugin Details Severity : Critical ID : 114555 Type : remote Family : Component Vulnerability Published : 1/17/2025 Updated : 1/17/2025 Scan Template : basic , full , pci , scan Risk Information VPR Risk Factor : High Score : 7.9 CVSS v2 Risk Factor : High Base Score : 9.4 Vector : CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N CVSS Score Source : CVE-2024-42008 CVSS v3 Risk Factor : Critical Base Score : 9.3 Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Score Source : CVE-2024-42008 Vulnerability Information CPE : cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:* Exploit Available : true Exploit Ease : Exploits are available Patch Publication Date : 8/4/2024 Vulnerability Publication Date : 8/4/2024 CISA Known Exploited Vulnerability Due Dates : 6/30/2025 Reference Information CVE : CVE-2024-42008 , CVE-2024-42009 , CVE-2024-42010 CWE : 200 , 79 OWASP : 2010-A2 , 2010-A6 , 2013-A3 , 2013-A5 , 2013-A9 , 2017-A6 , 2017-A7 , 2017-A9 , 2021-A1 , 2021-A3 , 2021-A6 , 2025-A1 , 2025-A5 , 2025-A6 WASC : Cross-Site Scripting , Information Leakage CAPEC : 116 , 13 , 169 , 209 , 22 , 224 , 285 , 287 , 290 , 291 , 292 , 293 , 294 , 295 , 296 , 297 , 298 , 299 , 300 , 301 , 302 , 303 , 304 , 305 , 306 , 307 , 308 , 309 , 310 , 312 , 313 , 317 , 318 , 319 , 320 , 321 , 322 , 323 , 324 , 325 , 326 , 327 , 328 , 329 , 330 , 472 , 497 , 508 , 573 , 574 , 575 , 576 , 577 , 588 , 59 , 591 , 592 , 60 , 616 , 63 , 643 , 646 , 651 , 79 , 85 DISA STIG : APSC-DV-000460 , APSC-DV-002490 , APSC-DV-002630 HIPAA : 164.306(a)(1) , 164.306(a)(2) ISO : 27001-A.14.2.5 NIST : sp800_53-CM-6b , sp800_53-SI-10 , sp800_53-SI-15 OWASP API : 2019-API7 , 2023-API8 OWASP ASVS : 4.0.2-14.2.1 , 4.0.2-5.3.3 , 4.0.2-8.3.4 PCI-DSS : 3.2-6.2 , 3.2-6.5.7 , 3.2-6.5.8

Related Articles

CRITICAL Government Emails at Risk: Critical Cross-Site Scripting Vulnerability in Roundcube Webmail Web Discovery HIGH USN-8223-1: Roundcube Webmail vulnerabilities Ubuntu Security MEDIUM CVE-2026-26079: Roundcube Webmail CSS Injection Vulnerability Web Discovery HIGH CVE-2023-5631: Roundcube Webmail XSS Vulnerability Web Discovery
Read Full Article → ← Back to News

Share this article

Twitter Facebook LinkedIn