CVE-2024-37383

MEDIUM KEV LAB

Roundcube Webmail < 1.5.7 and 1.6.x < 1.6.7 - Cross-Site Scripting via SVG Animate Attributes

Title source: llm

Exploitation Summary

CVE-2024-37383 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 24, 2024. EIP tracks 4 public exploits from researchers including AmirZargham, bartfroklage, hyungin0505.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Roundcube Webmail versions earlier than 1.5.6 or from 1.6 to 1.6.6. It automates the retrieval of all inbox messages and forwards them to an attacker-controlled server via JavaScript injection.

Description

Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.

Exploits (4)

exploitdb WORKING POC

by AmirZargham · textwebappsphp

https://www.exploit-db.com/exploits/52173

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Roundcube Webmail versions earlier than 1.5.6 or from 1.6 to 1.6.6. It automates the retrieval of all inbox messages and forwards them to an attacker-controlled server via JavaScript injection.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Roundcube Webmail < 1.5.6 or 1.6 to 1.6.6

Auth required

Prerequisites: Access to send a malicious email to the target · Victim interaction (opening the email) · Attacker-controlled server to receive exfiltrated data

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 5 stars

by bartfroklage · client-side

https://github.com/bartfroklage/CVE-2024-37383-POC

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2024-37383, an XSS vulnerability in Roundcube. The exploit sends a crafted email with an SVG-based payload that triggers an alert when clicked by the victim in Roundcube's web interface.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Roundcube 1.6.3

No auth needed

Prerequisites: SMTP access to send emails · Victim interaction (click required)

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by hyungin0505 · client-side

https://github.com/hyungin0505/CVE-2024-37383_PoC

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2024-37383, an XSS vulnerability in Roundcube Webmail due to improper SVG attribute parsing. It includes a Docker setup for a vulnerable environment and a Python script to send a malicious email with an SVG payload.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Roundcube Webmail v1.5.7 or v1.6.x < v1.6.7

No auth needed

Prerequisites: Docker environment · SMTP server access

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by amirzargham · client-side

https://github.com/amirzargham/CVE-2024-37383-exploit

View Code ZIP pw:eip

This repository contains a functional JavaScript-based exploit for CVE-2024-37383, a stored XSS vulnerability in Roundcube Webmail. The exploit automates the extraction of all messages from a victim's inbox and forwards them to an attacker-controlled server via crafted SVG payloads.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Roundcube Webmail (versions < 1.5.6 or 1.6 to 1.6.6)

Auth required

Prerequisites: Victim interaction (clicking malicious SVG link) · Valid Roundcube session credentials · Attacker-controlled server to receive exfiltrated data

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →