Lucene search

K

GoogleOSV:CVE-2024-42008

HistoryAug 05, 2024 - 7:15 p.m.

CVE-2024-42008

2024-08-0519:15:38

Google

osv.dev

cross-site scripting

roundcube

email theft

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

AI Score

6.3

Confidence

High

EPSS

0.008

Percentile

82.1%

A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.

References

github.com/roundcube/roundcubemail/releases

github.com/roundcube/roundcubemail/releases/tag/1.5.8

github.com/roundcube/roundcubemail/releases/tag/1.6.8

roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8

security-tracker.debian.org/tracker/CVE-2024-42008

sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

AI Score

6.3

Confidence

High

EPSS

0.008

Percentile

82.1%

Related for OSV:CVE-2024-42008

nvd1 ubuntucve1 vulnrichment1 debiancve1 cvelist1 cve1 nessus5 osv3 fedora2 openvas6 mageia1 freebsd1 redos1 thn1