CVE-2024-42009 is a cross-site scripting vulnerability in Roundcube Webmail affecting versions through 1.5.7 and 1.6.x through 1.6.7. The issue is described as a desanitization flaw in message_body() in program/actions/mail/show.php, with supporting context indicating improper sanitization of attacker-controlled HTML/JavaScript content during message rendering, including handling via html4inline(). In practice, a crafted HTML email can persist malicious script content and trigger JavaScript execution when the victim opens the message in Roundcube. Although some early references labeled it reflected XSS, the provided context consistently supports stored XSS delivered via weaponized email content. The flaw has been observed abused to execute JavaScript in the victim’s authenticated webmail session, including theft of credentials, cookies, mailbox data, and preparation for follow-on exploitation.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
5 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository is a compact proof-of-concept exploit set for CVE-2024-42009 targeting Roundcube Webmail 1.6.6 and earlier. It contains three functional artifacts: exploit.py, which generates and sends the malicious HTML email over SMTP; listener.py, which runs a simple HTTP server to receive exfiltrated data; and payload.html, which documents the injected HTML structure for manual inspection. The exploit is not part of a larger framework. The main exploit capability is stored XSS-based inbox exfiltration. exploit.py builds a malformed <body> tag whose unquoted attribute context injects a CSS animation trigger and an onanimationstart handler. That handler executes eval(atob(...)) on a base64-encoded JavaScript payload. When the victim opens the email inside Roundcube, the browser executes the script in the authenticated webmail context. The script then loops through message UIDs starting at 1, requesting each message from Roundcube's internal mail view endpoint until it encounters the error string indicating no more messages. All collected message content is then POSTed as JSON to an attacker-controlled HTTP listener. exploit.py uses only Python standard library modules (smtplib, base64, argparse, email.mime.*). It accepts attacker-controlled SMTP host, listener host/port, sender, recipient, and subject values, but the SMTP connection itself is hardcoded to port 25 in the send() function despite README text suggesting a configurable SMTP port. listener.py is a minimal BaseHTTPRequestHandler implementation that accepts OPTIONS and POST, enables permissive CORS headers, writes the received body to stolen_emails.json, and prints the number of recovered emails. payload.html is not executable by itself as delivered; it is a template/example showing the injection structure and intended JavaScript behavior. Overall, this is a real exploit PoC rather than a detector. It operationalizes delivery and collection for a stored XSS attack against vulnerable Roundcube instances, with a basic but functional exfiltration workflow.
This repository is a minimal Docker-based proof-of-concept for CVE-2024-42009, a stored XSS vulnerability in Roundcube Webmail. It contains only two files: a README describing exploitation steps and a docker-compose.yml that provisions a local lab with docker-mailserver and a vulnerable Roundcube 1.6.7 instance. There is no standalone exploit script; the exploit is operationalized through documented manual steps using swaks to send a crafted HTML email. The main exploit capability is stored cross-site scripting via malicious HTML email content. The payload abuses Roundcube's HTML sanitization and later attribute reprocessing to create attribute-boundary confusion and reintroduce an event handler such as onanimationstart=alert(1). When the victim logs into Roundcube and opens the email, arbitrary JavaScript executes in the browser context of the Roundcube session. The demonstrated payload is a simple alert, so this is best classified as a PoC rather than a weaponized exploit. Repository structure and purpose: README.md explains the vulnerability, affected versions, setup, user creation, access details, exploitation steps, and mitigation. docker-compose.yml defines two services: a mailserver container exposing SMTP/IMAP-related ports and a Roundcube container exposing HTTP on localhost:8080. The compose file also defines persistent volumes and Roundcube mail settings pointing to the mailserver service. Overall, the repository's purpose is to let a researcher quickly reproduce and observe the stored XSS issue in a controlled local environment.
This repository is a proof-of-concept exploit for CVE-2024-42009, a stored XSS vulnerability in Roundcube Webmail (versions 1.5.7, 1.6.x through 1.6.7). The exploit consists of a Python script ('exploit.py') that crafts and sends a malicious email to a target Roundcube instance via its contact form endpoint. The email contains a specially crafted HTML body with a base64-encoded JavaScript payload that leverages a desanitization issue in Roundcube's HTML parsing. When a victim opens the email, the payload executes in their browser, iterates through their inbox, and exfiltrates email contents to an attacker-controlled HTTP server. The script also implements a local HTTP server to receive and display the exfiltrated emails. The repository includes a README with detailed usage instructions, a requirements.txt for dependencies, and a .gitignore. The exploit is a functional PoC and does not include advanced stealth or weaponization features.
This repository is a Proof of Concept (PoC) exploit for CVE-2024-42009, targeting a cross-site scripting (XSS) vulnerability in an unspecified webmail application. The repository contains three files: a LICENSE, a README.md with detailed usage instructions, and the main exploit script (exploit.py). The exploit works by starting an HTTP listener on the attacker's machine to receive exfiltrated email data. It then sends crafted emails to the target webmail application, injecting a malicious HTML payload. When a victim opens the email, the XSS payload executes in their browser, fetches the content of their email, base64-encodes it, and sends it to the attacker's listener via an HTTP GET request. The exploit.py script automates both the listener and the payload injection process. The code is written in Python and uses the requests and BeautifulSoup libraries. The exploit is a functional PoC and does not include weaponized or highly automated features beyond the basic exfiltration workflow.
This repository contains a Python-based exploit for CVE-2024-42009, a stored XSS vulnerability in Roundcube Webmail 1.6.7. The main file, exploit.py, serves two purposes: it runs an HTTP listener to capture exfiltrated email content and sends a malicious XSS payload to the target's contact form. The payload, when triggered in a victim's browser, fetches the victim's email content and sends it (base64-encoded) to the attacker's listener. The exploit is operational and requires the attacker to configure the target URL and their own listener IP/port. The README provides clear usage instructions and context about the vulnerability. No fake or detection-only scripts are present; the code is a working exploit. The only code file is exploit.py, written in Python, and the repository is small and focused.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
47 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical Roundcube vulnerability used as the first step in an exploit chain to execute JavaScript in a victim’s browser after the victim opens an email.
A Roundcube cross-site scripting vulnerability that allows attacker-supplied JavaScript to execute when a victim opens a malicious email in the vulnerable webmail client, enabling credential theft and follow-on server compromise.
Roundcube webmail vulnerability exploited by Russian APT groups.
A specific Roundcube vulnerability that enables JavaScript execution when a weaponized email is opened, used by FrostyNeighbor for credential theft.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.