CVE-2024-37383
CVE-2024-37383
Vexday Risk Score
85Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 6.1EPSS 73.3%KEV simPoC públicaPatch —
Lifecycle
Jun 07, 2024Published on NVD
Oct 24, 2024Active exploitation (CISA KEV)
Oct 24, 2024Public PoC
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
Roundcube Webmail has a vulnerability where attackers can inject malicious code through SVG animation attributes in emails, allowing them to steal user information or perform actions on behalf of users.
Technical detail
CWE-79 (Stored XSS) in Roundcube versions <1.5.7 and 1.6.x <1.6.7 via improper sanitization of SVG animate elements. Attack vector requires crafted email content; execution occurs in victim's browser when email is rendered. Impact includes session hijacking and credential theft.
Summary generated and translated by AI from the official description.
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
n/a · n/apublic PoCs found — 4
githubgithub.com/bartfroklage/CVE-2024-37383-POC★ 5githubgithub.com/amirzargham/CVE-2024-37383-exploit★ 0githubgithub.com/hyungin0505/CVE-2024-37383_PoC★ 0exploitdbwww.exploit-db.com/exploits/52173unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d87924ba1accf5242https://github.com/roundcube/roundcubemail/releases/tag/1.5.7https://github.com/roundcube/roundcubemail/releases/tag/1.6.7https://lists.debian.org/debian-lts-announce/2024/06/msg00008.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-37383