CVE-2024-42009

Name of the Vulnerable Software and Affected Versions Roundcube versions prior to 1.5.8 Roundcube versions 1.6.0 through 1.6.7 Roundcube versions prior to 1.6.8 Roundcube versions prior to 1.4.15+dfsg.1-1+deb11u4 (Bullseye) Roundcube versions prior to 1.6.5+dfsg-1+deb12u3 (Bookworm) Roundcube versions prior to 1.6.6+dfsg-2ubuntu0.1+esm1 (Ubuntu Pro)

Description Roundcube webmail is affected by multiple cross-site scripting (XSS) vulnerabilities. A flaw exists in the handling of sanitization within the message body() function, potentially allowing a remote attacker to execute malicious JavaScript code when a crafted email message is opened. Successful exploitation could allow an attacker to steal and send emails as another user. Recent reports indicate active exploitation of CVE-2024-42009 in spear phishing campaigns targeting Polish organizations, with UNC1151 linked to these attacks. The vulnerability abuses a deserialization issue in the message body() function. The rcmail action mail get->run() function is also implicated in the XSS issue.

Recommendations Roundcube versions prior to 1.5.8: Upgrade to version 1.5.8 or later. Roundcube versions 1.6.0 through 1.6.7: Upgrade to version 1.6.8 or later. Roundcube versions prior to 1.6.6+dfsg-2ubuntu0.1+esm1 (Ubuntu Pro): Update to version 1.6.6+dfsg-2ubuntu0.1+esm1 or later. Roundcube versions prior to 1.4.15+dfsg.1-1+deb11u4 (Bullseye): Upgrade to version 1.4.15+dfsg.1-1+deb11u4 or later. Roundcube versions prior to 1.6.5+dfsg-1+deb12u3 (Bookworm): Upgrade to version 1.6.5+dfsg-1+deb12u3 or later.