CVE-2024-42008 Common Vulnerabilities and Exposures

Upstream information

CVE-2024-42008 at MITRE

Description

A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having not set severity.

No SUSE Bugzilla entries cross referenced.

SUSE Security Advisories:

openSUSE-SU-2024:0328-1, published Wed Oct 9 16:49:34 2024

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Package Hub 15 SP5	`roundcubemail >= 1.6.8-bp155.2.12.1`	Patchnames: openSUSE-2024-328
SUSE Package Hub 15 SP6	`roundcubemail >= 1.6.8-bp156.2.3.1`	Patchnames: openSUSE-2024-328
openSUSE Leap 15.5	`roundcubemail >= 1.6.8-bp155.2.12.1`	Patchnames: openSUSE-2024-328
openSUSE Leap 15.6	`roundcubemail >= 1.6.8-bp156.2.3.1`	Patchnames: openSUSE-2024-328
openSUSE Tumbleweed	`roundcubemail >= 1.6.8-1.1`	Patchnames: openSUSE-Tumbleweed-2024-14243

SUSE Timeline for this CVE

CVE page created: Mon Aug 5 22:00:16 2024
CVE page last modified: Sun Nov 2 00:22:58 2025