Roundcube Releases Security Updates for Webmail

Updates address three vulnerabilities that could lead to theft of emails and contacts

Threat ID:: CC-4535
Threat Severity:: Medium
Published:: 8 August 2024 2:38 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Updates address three vulnerabilities that could lead to theft of emails and contacts

Affected platforms

The following platforms are known to be affected:

Versions: All prior to 1.6.8 | All prior to 1.5.8

Roundcube Webmail

Threat details

CVE-2024-42009 exploited in-the-wild

Active exploitation of CVE-2024-42009 has been observed in the wild.
Additionally, a video demonstration proof-of-concept exploit for CVE-2024-42009 and CVE-2024-42008 has been published by a security researcher without technical details. The NHS England National Cyber Security Operations Centre CSOC assess further exploitation as highly likely.

Introduction

Roundcube has released security updates for its webmail product addressing two cross-site scripting (XXS) vulnerabilities. Roundcube webmail is a free and open-source webmail solution with a desktop-like user interface which runs on a standard LAMPP (Linux, Apache, MySQL/MariaDB, PHP, PHPMyAdmin) server.

The updates address vulnerabilities CVE-2024-42009 and CVE-2024-42008, which an unauthenticated attacker could exploit to steal emails or contacts and send emails from the victims account. Additionally, vulnerability CVE-2024-42010 could allow an attacker to access sensitive information.

Threat updates

Date	Update
9 Jun 2025	CVE-2024-42009 exploited in-the-wild

Remediation advice

Affected organisations are encouraged to review the security updates 1.6.8 and 1.5.8 and apply the relevant updates.

Definitive source of threat updates

https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8

CVE Vulnerabilities

Status Published

CVE-2024-42009

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.

Status Published

CVE-2024-42008

A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.

Status Published

CVE-2024-42010

mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information.

Last edited: 9 June 2025 12:51 pm