Stored XSS in Roundcube Webmail message_body()

This repository is a minimal Docker-based proof-of-concept for CVE-2024-42009, a stored XSS vulnerability in Roundcube Webmail. It contains only two files: a README describing exploitation steps and a docker-compose.yml that provisions a local lab with docker-mailserver and a vulnerable Roundcube 1.6.7 instance. There is no standalone exploit script; the exploit is operationalized through documented manual steps using swaks to send a crafted HTML email. The main exploit capability is stored cross-site scripting via malicious HTML email content. The payload abuses Roundcube's HTML sanitization and later attribute reprocessing to create attribute-boundary confusion and reintroduce an event handler such as onanimationstart=alert(1). When the victim logs into Roundcube and opens the email, arbitrary JavaScript executes in the browser context of the Roundcube session. The demonstrated payload is a simple alert, so this is best classified as a PoC rather than a weaponized exploit. Repository structure and purpose: README.md explains the vulnerability, affected versions, setup, user creation, access details, exploitation steps, and mitigation. docker-compose.yml defines two services: a mailserver container exposing SMTP/IMAP-related ports and a Roundcube container exposing HTTP on localhost:8080. The compose file also defines persistent volumes and Roundcube mail settings pointing to the mailserver service. Overall, the repository's purpose is to let a researcher quickly reproduce and observe the stored XSS issue in a controlled local environment.

This repository is a proof-of-concept exploit for CVE-2024-42009, a stored XSS vulnerability in Roundcube Webmail (versions 1.5.7, 1.6.x through 1.6.7). The exploit consists of a Python script ('exploit.py') that crafts and sends a malicious email to a target Roundcube instance via its contact form endpoint. The email contains a specially crafted HTML body with a base64-encoded JavaScript payload that leverages a desanitization issue in Roundcube's HTML parsing. When a victim opens the email, the payload executes in their browser, iterates through their inbox, and exfiltrates email contents to an attacker-controlled HTTP server. The script also implements a local HTTP server to receive and display the exfiltrated emails. The repository includes a README with detailed usage instructions, a requirements.txt for dependencies, and a .gitignore. The exploit is a functional PoC and does not include advanced stealth or weaponization features.

This repository is a Proof of Concept (PoC) exploit for CVE-2024-42009, targeting a cross-site scripting (XSS) vulnerability in an unspecified webmail application. The repository contains three files: a LICENSE, a README.md with detailed usage instructions, and the main exploit script (exploit.py). The exploit works by starting an HTTP listener on the attacker's machine to receive exfiltrated email data. It then sends crafted emails to the target webmail application, injecting a malicious HTML payload. When a victim opens the email, the XSS payload executes in their browser, fetches the content of their email, base64-encodes it, and sends it to the attacker's listener via an HTTP GET request. The exploit.py script automates both the listener and the payload injection process. The code is written in Python and uses the requests and BeautifulSoup libraries. The exploit is a functional PoC and does not include weaponized or highly automated features beyond the basic exfiltration workflow.

This repository contains a Python-based exploit for CVE-2024-42009, a stored XSS vulnerability in Roundcube Webmail 1.6.7. The main file, exploit.py, serves two purposes: it runs an HTTP listener to capture exfiltrated email content and sends a malicious XSS payload to the target's contact form. The payload, when triggered in a victim's browser, fetches the victim's email content and sends it (base64-encoded) to the attacker's listener. The exploit is operational and requires the attacker to configure the target URL and their own listener IP/port. The README provides clear usage instructions and context about the vulnerability. No fake or detection-only scripts are present; the code is a working exploit. The only code file is exploit.py, written in Python, and the repository is small and focused.