CVE-2024-37383
CVE-2024-37383
In short
Roundcube Webmail has a vulnerability where attackers can inject malicious code through SVG animation attributes in emails, allowing them to steal user information or perform actions on behalf of users.
Technical detail
CWE-79 (Stored XSS) in Roundcube versions <1.5.7 and 1.6.x <1.6.7 via improper sanitization of SVG animate elements. Attack vector requires crafted email content; execution occurs in victim's browser when email is rendered. Impact includes session hijacking and credential theft.
Summary generated and translated by AI from the official description.
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
n/a · n/apublic PoCs found — 4
githubgithub.com/bartfroklage/CVE-2024-37383-POC★ 5githubgithub.com/amirzargham/CVE-2024-37383-exploit★ 0githubgithub.com/hyungin0505/CVE-2024-37383_PoC★ 0exploitdbwww.exploit-db.com/exploits/52173unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d87924ba1accf5242https://github.com/roundcube/roundcubemail/releases/tag/1.5.7https://github.com/roundcube/roundcubemail/releases/tag/1.6.7https://lists.debian.org/debian-lts-announce/2024/06/msg00008.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-37383