RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2024-42009 | RoundCube Webmail Cross-Site Scripting Vulnerability | exploitation_technique | T1566.002 | Spearphishing Link |
Comments
An attacker can exploit a deserialization/desanitization issue by injecting malicious JavaScript into a message. Parsing the HTML inside the message can allow the exfiltration of email data, as well as commandeer the victim's browser.
References
|
| CVE-2024-42009 | RoundCube Webmail Cross-Site Scripting Vulnerability | primary_impact | T1114 | Email Collection |
Comments
An attacker can exploit a deserialization/desanitization issue by injecting malicious JavaScript into a message. Parsing the HTML inside the message can allow the exfiltration of email data, as well as commandeer the victim's browser.
References
|
| CVE-2024-42009 | RoundCube Webmail Cross-Site Scripting Vulnerability | primary_impact | T1056 | Input Capture |
Comments
An attacker can exploit a deserialization/desanitization issue by injecting malicious JavaScript into a message. Parsing the HTML inside the message can allow the exfiltration of email data, as well as commandeer the victim's browser.
References
|