{"id":"UBUNTU-CVE-2024-42008","details":"A Cross-Site Scripting vulnerability in rcmail_action_mail_get-\u003erun() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.","modified":"2026-03-17T08:18:05.027137Z","published":"2024-08-05T19:15:00Z","upstream":["CVE-2024-42008"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-42008"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2024-42008"},{"type":"REPORT","url":"https://github.com/roundcube/roundcubemail/commit/89c8fe9ae9318c015807fbcbf7e39555fb30885d"},{"type":"REPORT","url":"https://github.com/roundcube/roundcubemail/releases"},{"type":"REPORT","url":"https://sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/"},{"type":"REPORT","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.5.8"},{"type":"REPORT","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.6.8"},{"type":"REPORT","url":"https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8"}],"affected":[{"package":{"name":"roundcube","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/roundcube@1.5.0+dfsg.1-2ubuntu0.1~esm5?arch=source&distro=esm-apps/jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.4.11+dfsg.1-4","1.5.0+dfsg.1-2","1.5.0+dfsg.1-2ubuntu0.1~esm1","1.5.0+dfsg.1-2ubuntu0.1~esm2","1.5.0+dfsg.1-2ubuntu0.1~esm3","1.5.0+dfsg.1-2ubuntu0.1~esm4","1.5.0+dfsg.1-2ubuntu0.1~esm5"],"ecosystem_specific":{"binaries":[{"binary_name":"roundcube","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm5"},{"binary_name":"roundcube-core","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm5"},{"binary_name":"roundcube-mysql","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm5"},{"binary_name":"roundcube-pgsql","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm5"},{"binary_name":"roundcube-plugins","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm5"},{"binary_name":"roundcube-sqlite3","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm5"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-42008.json"}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/roundcube@1.6.6+dfsg-2ubuntu0.1+esm2?arch=source&distro=esm-apps/noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.6.2+dfsg-1","1.6.4+dfsg-1","1.6.5+dfsg-1","1.6.6+dfsg-1","1.6.6+dfsg-2","1.6.6+dfsg-2ubuntu0.1","1.6.6+dfsg-2ubuntu0.1+esm1","1.6.6+dfsg-2ubuntu0.1+esm2"],"ecosystem_specific":{"binaries":[{"binary_name":"roundcube","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm2"},{"binary_name":"roundcube-core","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm2"},{"binary_name":"roundcube-mysql","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm2"},{"binary_name":"roundcube-pgsql","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm2"},{"binary_name":"roundcube-plugins","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm2"},{"binary_name":"roundcube-sqlite3","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-42008.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]}