Two cross-site scripting vulnerabilities (CVE-2024-42009, CVE-2024-42008) affecting Roundcube could be exploited by attackers to steal users’ emails and contacts, email password, and send emails from their account. About the vulnerabilities Roundcube is an open-source webmail software solution popular with European government agencies, hosting providers and academic institutions around the world. CVE-2024-42009 and CVE-2024-42008 are both XSS bugs. The former allows a remote attacker to steal and send emails of a victim via a crafted e-mail … More

The post Roundcube flaws allow easy email account compromise (CVE-2024-42009, CVE-2024-42008) appeared first on Help Net Security.