Lucene search

[email protected]NVD:CVE-2024-42008

HistoryAug 05, 2024 - 7:15 p.m.

CVE-2024-42008

2024-08-0519:15:38

CWE-79

[email protected]

web.nvd.nist.gov

cross-site scripting

remote attacker

email theft

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS

0.008

Percentile

82.1%

JSON

A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.

Affected configurations

Nvd

Node

roundcubewebmailRange<1.5.8

roundcubewebmailRange1.6.0–1.6.8

VendorProductVersionCPE
roundcubewebmail*cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
roundcube	webmail	*	cpe:2.3:a:roundcube:webmail::::::::

References

github.com/roundcube/roundcubemail/releases

github.com/roundcube/roundcubemail/releases/tag/1.5.8

github.com/roundcube/roundcubemail/releases/tag/1.6.8

roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8

sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS

0.008

Percentile

82.1%

JSON

Related for NVD:CVE-2024-42008

ubuntucve1 vulnrichment1 cvelist1 debiancve1 osv4 cve1 nessus5 fedora2 openvas6 mageia1 freebsd1 redos1 thn1