CVE-2024-42008

Name of the Vulnerable Software and Affected Versions Roundcube versions 1.5.7 and earlier, 1.6.x through 1.6.7

Description The issue exists due to inadequate protection of the web page structure in the rcmail action mail get->run() function of the Roundcube Webmail client. Exploitation of this issue may allow a remote attacker to conduct a cross-site scripting (XSS) attack by sending specially crafted malicious attachments. This can potentially allow the attacker to steal and send emails of a victim via a malicious email attachment served with a dangerous Content-Type header.

Recommendations For Roundcube versions 1.5.7 and earlier: Update to a version later than 1.5.7 to resolve the issue. For Roundcube versions 1.6.x through 1.6.7: Update to a version later than 1.6.7 to resolve the issue. As a temporary workaround, consider restricting access to the rcmail action mail get->run() function until a patch is available. Avoid using dangerous Content-Type headers in email attachments until the issue is resolved.