⚠️ CISA Known Exploited Vulnerability
Active ThreatThis vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Active exploitation has been observed in the wild. This poses significant risk to federal enterprises and should be prioritized for immediate patching.
CVE-2024-42009
Critical CISA KEV
Low
Medium
High
Critical
9.3
CVSS Score
Published: Aug 05, 2024
Last Modified: Nov 04, 2025
Vulnerability Description
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
R
Scope
C
Confidentiality
H
Integrity
H
Availability
N
Known Affected Software
131 configuration(s) from 1 vendor(s)
webmail
Version:
1.3.5
CPE:
cpe:2.3:a:roundcube:webmail:1.3.5:*:*:*:*:*:*:*
webmail
Version:
0.1
CPE:
cpe:2.3:a:roundcube:webmail:0.1:-:*:*:*:*:*:*
webmail
Version:
0.8.6
CPE:
cpe:2.3:a:roundcube:webmail:0.8.6:*:*:*:*:*:*:*
webmail
Version:
1.3.8
CPE:
cpe:2.3:a:roundcube:webmail:1.3.8:*:*:*:*:*:*:*
webmail
Version:
1.5.2
CPE:
cpe:2.3:a:roundcube:webmail:1.5.2:*:*:*:*:*:*:*
webmail
Version:
0.7.3
CPE:
cpe:2.3:a:roundcube:webmail:0.7.3:*:*:*:*:*:*:*
webmail
Version:
1.4.13
CPE:
cpe:2.3:a:roundcube:webmail:1.4.13:*:*:*:*:*:*:*
webmail
Version:
1.3.14
CPE:
cpe:2.3:a:roundcube:webmail:1.3.14:*:*:*:*:*:*:*
webmail
Version:
1.0.9
CPE:
cpe:2.3:a:roundcube:webmail:1.0.9:*:*:*:*:*:*:*
webmail
Version:
1.3.16
CPE:
cpe:2.3:a:roundcube:webmail:1.3.16:*:*:*:*:*:*:*
webmail
Version:
1.4.9
CPE:
cpe:2.3:a:roundcube:webmail:1.4.9:*:*:*:*:*:*:*
webmail
Version:
1.6.7
CPE:
cpe:2.3:a:roundcube:webmail:1.6.7:*:*:*:*:*:*:*
webmail
Version:
1.0.4
CPE:
cpe:2.3:a:roundcube:webmail:1.0.4:*:*:*:*:*:*:*
webmail
Version:
1.0.12
CPE:
cpe:2.3:a:roundcube:webmail:1.0.12:*:*:*:*:*:*:*
webmail
Version:
1.4.4
CPE:
cpe:2.3:a:roundcube:webmail:1.4.4:*:*:*:*:*:*:*
webmail
Version:
1.4.12
CPE:
cpe:2.3:a:roundcube:webmail:1.4.12:*:*:*:*:*:*:*
webmail
Version:
1.4.8
CPE:
cpe:2.3:a:roundcube:webmail:1.4.8:*:*:*:*:*:*:*
webmail
Version:
0.2.1
CPE:
cpe:2.3:a:roundcube:webmail:0.2.1:*:*:*:*:*:*:*
webmail
Version:
1.0.6
CPE:
cpe:2.3:a:roundcube:webmail:1.0.6:*:*:*:*:*:*:*
webmail
Version:
0.8.4
CPE:
cpe:2.3:a:roundcube:webmail:0.8.4:*:*:*:*:*:*:*
webmail
Version:
1.6.4
CPE:
cpe:2.3:a:roundcube:webmail:1.6.4:*:*:*:*:*:*:*
webmail
Version:
1.6.5
CPE:
cpe:2.3:a:roundcube:webmail:1.6.5:*:*:*:*:*:*:*
webmail
Version:
1.2.2
CPE:
cpe:2.3:a:roundcube:webmail:1.2.2:*:*:*:*:*:*:*
webmail
Version:
1.6.6
CPE:
cpe:2.3:a:roundcube:webmail:1.6.6:*:*:*:*:*:*:*
webmail
Version:
1.6.1
CPE:
cpe:2.3:a:roundcube:webmail:1.6.1:*:*:*:*:*:*:*
webmail
Version:
1.3.9
CPE:
cpe:2.3:a:roundcube:webmail:1.3.9:*:*:*:*:*:*:*
webmail
Version:
1.1
CPE:
cpe:2.3:a:roundcube:webmail:1.1:-:*:*:*:*:*:*
webmail
Version:
1.3.0
CPE:
cpe:2.3:a:roundcube:webmail:1.3.0:-:*:*:*:*:*:*
webmail
Version:
0.9.1
CPE:
cpe:2.3:a:roundcube:webmail:0.9.1:*:*:*:*:*:*:*
webmail
Version:
0.9
CPE:
cpe:2.3:a:roundcube:webmail:0.9:beta:*:*:*:*:*:*
webmail
Version:
0.9.2
CPE:
cpe:2.3:a:roundcube:webmail:0.9.2:*:*:*:*:*:*:*
webmail
Version:
1.1.7
CPE:
cpe:2.3:a:roundcube:webmail:1.1.7:*:*:*:*:*:*:*
webmail
Version:
0.3.1
CPE:
cpe:2.3:a:roundcube:webmail:0.3.1:*:*:*:*:*:*:*
webmail
Version:
1.2.0
CPE:
cpe:2.3:a:roundcube:webmail:1.2.0:-:*:*:*:*:*:*
webmail
Version:
1.3.1
CPE:
cpe:2.3:a:roundcube:webmail:1.3.1:*:*:*:*:*:*:*
webmail
Version:
0.7.1
CPE:
cpe:2.3:a:roundcube:webmail:0.7.1:*:*:*:*:*:*:*
webmail
Version:
1.5.3
CPE:
cpe:2.3:a:roundcube:webmail:1.5.3:*:*:*:*:*:*:*
webmail
Version:
1.1.6
CPE:
cpe:2.3:a:roundcube:webmail:1.1.6:*:*:*:*:*:*:*
webmail
Version:
0.8.5
CPE:
cpe:2.3:a:roundcube:webmail:0.8.5:*:*:*:*:*:*:*
webmail
Version:
1.3.4
CPE:
cpe:2.3:a:roundcube:webmail:1.3.4:*:*:*:*:*:*:*
webmail
Version:
1.2.9
CPE:
cpe:2.3:a:roundcube:webmail:1.2.9:*:*:*:*:*:*:*
webmail
Version:
1.6.0
CPE:
cpe:2.3:a:roundcube:webmail:1.6.0:-:*:*:*:*:*:*
webmail
Version:
0.7
CPE:
cpe:2.3:a:roundcube:webmail:0.7:-:*:*:*:*:*:*
webmail
Version:
1.3.2
CPE:
cpe:2.3:a:roundcube:webmail:1.3.2:*:*:*:*:*:*:*
webmail
Version:
1.4.0
CPE:
cpe:2.3:a:roundcube:webmail:1.4.0:*:*:*:*:*:*:*
webmail
Version:
0.6
CPE:
cpe:2.3:a:roundcube:webmail:0.6:-:*:*:*:*:*:*
webmail
Version:
1.2.4
CPE:
cpe:2.3:a:roundcube:webmail:1.2.4:*:*:*:*:*:*:*
webmail
Version:
1.4.3
CPE:
cpe:2.3:a:roundcube:webmail:1.4.3:*:*:*:*:*:*:*
webmail
Version:
1.3.13
CPE:
cpe:2.3:a:roundcube:webmail:1.3.13:*:*:*:*:*:*:*
webmail
Version:
1.2.12
CPE:
cpe:2.3:a:roundcube:webmail:1.2.12:*:*:*:*:*:*:*
webmail
Version:
1.0.10
CPE:
cpe:2.3:a:roundcube:webmail:1.0.10:*:*:*:*:*:*:*
webmail
Version:
1.2.11
CPE:
cpe:2.3:a:roundcube:webmail:1.2.11:*:*:*:*:*:*:*
webmail
Version:
0.5.3
CPE:
cpe:2.3:a:roundcube:webmail:0.5.3:*:*:*:*:*:*:*
webmail
Version:
1.0.1
CPE:
cpe:2.3:a:roundcube:webmail:1.0.1:*:*:*:*:*:*:*
webmail
Version:
1.4.14
CPE:
cpe:2.3:a:roundcube:webmail:1.4.14:*:*:*:*:*:*:*
webmail
Version:
1.4
CPE:
cpe:2.3:a:roundcube:webmail:1.4:-:*:*:*:*:*:*
webmail
Version:
1.2.3
CPE:
cpe:2.3:a:roundcube:webmail:1.2.3:*:*:*:*:*:*:*
webmail
Version:
1.2.1
CPE:
cpe:2.3:a:roundcube:webmail:1.2.1:*:*:*:*:*:*:*
webmail
Version:
1.1.9
CPE:
cpe:2.3:a:roundcube:webmail:1.1.9:*:*:*:*:*:*:*
webmail
Version:
1.4.5
CPE:
cpe:2.3:a:roundcube:webmail:1.4.5:*:*:*:*:*:*:*
webmail
Version:
0.4.1
CPE:
cpe:2.3:a:roundcube:webmail:0.4.1:*:*:*:*:*:*:*
webmail
Version:
0.5.1
CPE:
cpe:2.3:a:roundcube:webmail:0.5.1:*:*:*:*:*:*:*
webmail
Version:
1.1.12
CPE:
cpe:2.3:a:roundcube:webmail:1.1.12:*:*:*:*:*:*:*
webmail
Version:
1.4.6
CPE:
cpe:2.3:a:roundcube:webmail:1.4.6:*:*:*:*:*:*:*
webmail
Version:
1.5.0
CPE:
cpe:2.3:a:roundcube:webmail:1.5.0:-:*:*:*:*:*:*
webmail
Version:
1.5.4
CPE:
cpe:2.3:a:roundcube:webmail:1.5.4:*:*:*:*:*:*:*
webmail
Version:
1.2
CPE:
cpe:2.3:a:roundcube:webmail:1.2:beta:*:*:*:*:*:*
webmail
Version:
0.7.2
CPE:
cpe:2.3:a:roundcube:webmail:0.7.2:*:*:*:*:*:*:*
webmail
Version:
1.1.4
CPE:
cpe:2.3:a:roundcube:webmail:1.1.4:*:*:*:*:*:*:*
webmail
Version:
1.0.2
CPE:
cpe:2.3:a:roundcube:webmail:1.0.2:*:*:*:*:*:*:*
webmail
Version:
1.3.6
CPE:
cpe:2.3:a:roundcube:webmail:1.3.6:*:*:*:*:*:*:*
webmail
Version:
1.0
CPE:
cpe:2.3:a:roundcube:webmail:1.0:beta:*:*:*:*:*:*
webmail
Version:
0.5.2
CPE:
cpe:2.3:a:roundcube:webmail:0.5.2:*:*:*:*:*:*:*
webmail
Version:
1.5.5
CPE:
cpe:2.3:a:roundcube:webmail:1.5.5:*:*:*:*:*:*:*
webmail
Version:
0.2.2
CPE:
cpe:2.3:a:roundcube:webmail:0.2.2:*:*:*:*:*:*:*
webmail
Version:
1.3.17
CPE:
cpe:2.3:a:roundcube:webmail:1.3.17:*:*:*:*:*:*:*
webmail
Version:
0.3
CPE:
cpe:2.3:a:roundcube:webmail:0.3:-:*:*:*:*:*:*
webmail
Version:
1.2.8
CPE:
cpe:2.3:a:roundcube:webmail:1.2.8:*:*:*:*:*:*:*
webmail
Version:
1.3.7
CPE:
cpe:2.3:a:roundcube:webmail:1.3.7:*:*:*:*:*:*:*
webmail
Version:
0.8.1
CPE:
cpe:2.3:a:roundcube:webmail:0.8.1:*:*:*:*:*:*:*
webmail
Version:
1.6.2
CPE:
cpe:2.3:a:roundcube:webmail:1.6.2:*:*:*:*:*:*:*
webmail
Version:
1.4.1
CPE:
cpe:2.3:a:roundcube:webmail:1.4.1:*:*:*:*:*:*:*
webmail
Version:
1.4.15
CPE:
cpe:2.3:a:roundcube:webmail:1.4.15:*:*:*:*:*:*:*
webmail
Version:
1.2.10
CPE:
cpe:2.3:a:roundcube:webmail:1.2.10:*:*:*:*:*:*:*
webmail
Version:
1.3.10
CPE:
cpe:2.3:a:roundcube:webmail:1.3.10:*:*:*:*:*:*:*
webmail
Version:
1.1.3
CPE:
cpe:2.3:a:roundcube:webmail:1.1.3:*:*:*:*:*:*:*
webmail
Version:
1.3.11
CPE:
cpe:2.3:a:roundcube:webmail:1.3.11:*:*:*:*:*:*:*
webmail
Version:
1.1.8
CPE:
cpe:2.3:a:roundcube:webmail:1.1.8:*:*:*:*:*:*:*
webmail
Version:
1.3
CPE:
cpe:2.3:a:roundcube:webmail:1.3:beta:*:*:*:*:*:*
webmail
Version:
0.4.2
CPE:
cpe:2.3:a:roundcube:webmail:0.4.2:*:*:*:*:*:*:*
webmail
Version:
1.2.7
CPE:
cpe:2.3:a:roundcube:webmail:1.2.7:*:*:*:*:*:*:*
webmail
Version:
1.4.2
CPE:
cpe:2.3:a:roundcube:webmail:1.4.2:*:*:*:*:*:*:*
webmail
Version:
1.1.2
CPE:
cpe:2.3:a:roundcube:webmail:1.1.2:*:*:*:*:*:*:*
webmail
Version:
0.9.5
CPE:
cpe:2.3:a:roundcube:webmail:0.9.5:*:*:*:*:*:*:*
webmail
Version:
0.7.4
CPE:
cpe:2.3:a:roundcube:webmail:0.7.4:*:*:*:*:*:*:*
webmail
Version:
1.0.5
CPE:
cpe:2.3:a:roundcube:webmail:1.0.5:*:*:*:*:*:*:*
webmail
Version:
1.5.7
CPE:
cpe:2.3:a:roundcube:webmail:1.5.7:*:*:*:*:*:*:*
webmail
Version:
1.3.3
CPE:
cpe:2.3:a:roundcube:webmail:1.3.3:*:*:*:*:*:*:*
webmail
Version:
1.3.15
CPE:
cpe:2.3:a:roundcube:webmail:1.3.15:*:*:*:*:*:*:*
webmail
Version:
1.4.7
CPE:
cpe:2.3:a:roundcube:webmail:1.4.7:*:*:*:*:*:*:*
webmail
Version:
1.2.6
CPE:
cpe:2.3:a:roundcube:webmail:1.2.6:*:*:*:*:*:*:*
webmail
Version:
1.2.13
CPE:
cpe:2.3:a:roundcube:webmail:1.2.13:*:*:*:*:*:*:*
webmail
Version:
1.3.12
CPE:
cpe:2.3:a:roundcube:webmail:1.3.12:*:*:*:*:*:*:*
webmail
Version:
0.9.0
CPE:
cpe:2.3:a:roundcube:webmail:0.9.0:beta:*:*:*:*:*:*
webmail
Version:
1.1.0
CPE:
cpe:2.3:a:roundcube:webmail:1.1.0:-:*:*:*:*:*:*
webmail
Version:
1.2.5
CPE:
cpe:2.3:a:roundcube:webmail:1.2.5:*:*:*:*:*:*:*
webmail
Version:
1.1.10
CPE:
cpe:2.3:a:roundcube:webmail:1.1.10:*:*:*:*:*:*:*
webmail
Version:
0.2
CPE:
cpe:2.3:a:roundcube:webmail:0.2:-:*:*:*:*:*:*
webmail
Version:
0.9.3
CPE:
cpe:2.3:a:roundcube:webmail:0.9.3:*:*:*:*:*:*:*
webmail
Version:
1.6.3
CPE:
cpe:2.3:a:roundcube:webmail:1.6.3:*:*:*:*:*:*:*
webmail
Version:
1.0.0
CPE:
cpe:2.3:a:roundcube:webmail:1.0.0:-:*:*:*:*:*:*
webmail
Version:
1.1.1
CPE:
cpe:2.3:a:roundcube:webmail:1.1.1:*:*:*:*:*:*:*
webmail
Version:
1.0.11
CPE:
cpe:2.3:a:roundcube:webmail:1.0.11:*:*:*:*:*:*:*
webmail
Version:
0.8.7
CPE:
cpe:2.3:a:roundcube:webmail:0.8.7:*:*:*:*:*:*:*
webmail
Version:
0.8.0
CPE:
cpe:2.3:a:roundcube:webmail:0.8.0:-:*:*:*:*:*:*
webmail
Version:
0.8.3
CPE:
cpe:2.3:a:roundcube:webmail:0.8.3:*:*:*:*:*:*:*
webmail
Version:
1.1.11
CPE:
cpe:2.3:a:roundcube:webmail:1.1.11:*:*:*:*:*:*:*
webmail
Version:
1.5.6
CPE:
cpe:2.3:a:roundcube:webmail:1.5.6:*:*:*:*:*:*:*
webmail
Version:
1.5.1
CPE:
cpe:2.3:a:roundcube:webmail:1.5.1:*:*:*:*:*:*:*
webmail
Version:
0.4
CPE:
cpe:2.3:a:roundcube:webmail:0.4:-:*:*:*:*:*:*
webmail
Version:
1.4.10
CPE:
cpe:2.3:a:roundcube:webmail:1.4.10:*:*:*:*:*:*:*
webmail
Version:
1.0.8
CPE:
cpe:2.3:a:roundcube:webmail:1.0.8:*:*:*:*:*:*:*
webmail
Version:
1.0.3
CPE:
cpe:2.3:a:roundcube:webmail:1.0.3:*:*:*:*:*:*:*
webmail
Version:
0.1.1
CPE:
cpe:2.3:a:roundcube:webmail:0.1.1:*:*:*:*:*:*:*
webmail
Version:
0.8.2
CPE:
cpe:2.3:a:roundcube:webmail:0.8.2:*:*:*:*:*:*:*
webmail
Version:
0.5
CPE:
cpe:2.3:a:roundcube:webmail:0.5:-:*:*:*:*:*:*
webmail
Version:
1.0.7
CPE:
cpe:2.3:a:roundcube:webmail:1.0.7:*:*:*:*:*:*:*
webmail
Version:
1.1.5
CPE:
cpe:2.3:a:roundcube:webmail:1.1.5:*:*:*:*:*:*:*
webmail
Version:
0.5.4
CPE:
cpe:2.3:a:roundcube:webmail:0.5.4:*:*:*:*:*:*:*
webmail
Version:
0.9.4
CPE:
cpe:2.3:a:roundcube:webmail:0.9.4:*:*:*:*:*:*:*
webmail
Version:
1.4.11
CPE:
cpe:2.3:a:roundcube:webmail:1.4.11:*:*:*:*:*:*:*
This vulnerability affects 131 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
https://github.com/roundcube/roundcubemail/releasescve@mitre.org Release Notes
-
https://github.com/roundcube/roundcubemail/releases/tag/1.5.8cve@mitre.org Release Notes
-
https://github.com/roundcube/roundcubemail/releases/tag/1.6.8cve@mitre.org Release Notes
-
https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8cve@mitre.org Vendor Advisory
-
https://sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/cve@mitre.org Technical Description Third Party Advisory
-
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-42009134c704f-9b21-4f2e-91b3-4a467353bcc0 US Government Resource
Severity Details
9.3
out of 10.0
Critical
CISA KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalog
Key Information
- Published Date
- August 05, 2024
