CVE-2024-42009: Roundcube Webmail - Cross-Site Scripting

日期: 2025-08-01 | 影响软件: Roundcube Webmail | POC: 已公开

漏洞描述

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.

PoC代码[已公开]

id: CVE-2024-42009

info:
  name: Roundcube Webmail - Cross-Site Scripting
  author: rxerium
  severity: critical
  description: |
    A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
  impact: |
    Attackers can steal and send victim emails, leading to privacy breach and potential further exploitation.
  remediation: |
    Update to the latest version of Roundcube, version 1.6.8 or later.
  reference:
    - https://github.com/roundcube/roundcubemail/releases
    - https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8
    - https://nvd.nist.gov/vuln/detail/CVE-2024-42009
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
    cvss-score: 9.3
    cve-id: CVE-2024-42009
    epss-score: 0.90671
    epss-percentile: 0.99588
    cwe-id: CWE-79
    cpe: cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    shodan-query: cpe:"cpe:2.3:a:roundcube:webmail"
    fofa-query: "roundcube_sessid"
  tags: cve,cve2024,roundcube,xss,vkev,passive,kev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    extractors:
      - type: regex
        name: major
        group: 1
        regex:
          - '"rcversion":(\d)'
        internal: true

      - type: regex
        name: minor
        group: 1
        regex:
          - '"rcversion":\d\d(\d)'
        internal: true

      - type: regex
        name: patch
        group: 1
        regex:
          - '"rcversion":\d\d\d(\d+)'
        internal: true

      - type: dsl
        name: version
        dsl:
          - major + "." + minor + "." + patch
        internal: true

      - type: dsl
        dsl:
          - '"Roundcube Version: "+ version'

    matchers-condition: and
    matchers:
      - type: dsl
        name: vulnerable
        dsl:
          - compare_versions(version, '<= 1.5.7') || (compare_versions(version,'>= 1.6.0') && compare_versions(version, '<= 1.6.7'))

      - type: word
        part: body
        words:
          - "Roundcube"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100cbad0574e0b3a66b4d7d68f2254eb80655c76131fc55a712ae756099218cc629022058e0bd0356c476b0e828d4781f94f032e650ddb6ffd72036bd6e509a7137436e:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-42009.yaml

相关漏洞推荐