Critical XSS bug in Roundcube Webmail allows attackers to steal emails and sensitive data

Pierluigi Paganini August 07, 2024

Researchers warn of flaws in the Roundcube webmail software that could be exploited to steal sensitive information from target accounts.

Sonar’s Vulnerability Research Team discovered a critical Cross-Site Scripting (XSS) vulnerability in the popular open-source webmail software Roundcube. Roundcube is included by default in the server hosting panel cPanel which has millions of installations worldwide.

An attacker can trigger the vulnerability to execute arbitrary JavaScript in the victim’s browser when they view a malicious email, potentially leading to the theft of emails, contacts, passwords, and unauthorized email sending.

Experts pointed out that government employees’ emails are a valuable target for APT groups carrying out cyber espionage campaigns. In October 2023, ESET Research revealed that a similar vulnerability was exploited by the APT group Winter Vivern to target European government entities.

The experts discovered two XSS vulnerabilities tracked as CVE-2024-42009 and CVE-2024-42008, which have critical and high ratings respectively. The flaws impact Roundcube version 1.6.7 and below, and version 1.5.7 and below.

No user interaction is required to successfully exploit the CVE-2024-42009, while for CVE-2024-42008, a single click by the victim is needed.

“These allow an unauthenticated attacker to steal emails and contacts, as well as send emails from a victim’s account. All the victim user has to do is view a malicious email in Roundcube.” reads the report published by Sonar. “Attackers can gain a persistent foothold in the victim’s browser across restarts, allowing them to exfiltrate emails continuously or steal the victim’s password the next time it is entered.”

The company did not disclose technical details of the vulnerabilities to give administrators time to update. However, APT groups may still discover the way to weaponize these flaws. Researchers strongly recommend Roundcube administrators apply the latest patches (version 1.6.8 or 1.5.8) immediately. Affected users should change their email passwords and clear their browser’s site data for Roundcube.

The experts also discovered an information disclosure vulnerability, tracked as CVE-2024-42010, that is caused by insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, roundcube)

Pierluigi Paganini July 24, 2025

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini July 23, 2025