CVE-2024-37383

MEDIUM KEV LAB

Roundcube Webmail < 1.5.7 - XSS

Title source: rule

Description

Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.

Exploits (4)

exploitdb WORKING POC

by AmirZargham · textwebappsphp

https://www.exploit-db.com/exploits/52173

View Code ZIP pw:eip

nomisec WORKING POC 5 stars

by bartfroklage · client-side

https://github.com/bartfroklage/CVE-2024-37383-POC

View Code ZIP pw:eip

nomisec WORKING POC

by hyungin0505 · client-side

https://github.com/hyungin0505/CVE-2024-37383_PoC

View Code ZIP pw:eip

nomisec WORKING POC

by amirzargham · client-side

https://github.com/amirzargham/CVE-2024-37383-exploit

View Code ZIP pw:eip

References (5)

[Patch] https://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d87924ba1accf5242

[Release Notes] https://github.com/roundcube/roundcubemail/releases/tag/1.5.7

[Release Notes] https://github.com/roundcube/roundcubemail/releases/tag/1.6.7

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2024/06/msg00008.html

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-37383

Scores

CVSS v3 6.1

EPSS 0.6403

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Lab Environment

COMMUNITY

Community Lab

docker pull roundcube/roundcubemail:1.6.6-apache

docker pull greenmail/standalone:latest

https://github.com/bartfroklage/CVE-2024-37383-POC

https://github.com/amirzargham/CVE-2024-37383-exploit

https://github.com/hyungin0505/CVE-2024-37383_PoC

View in Library

Details

CISA KEV 2024-10-24

VulnCheck KEV 2024-10-09

InTheWild.io 2024-10-24

ENISA EUVD EUVD-2024-36625

CWE

CWE-79

Status published

Products (2)

debian/debian_linux 10.0

roundcube/webmail < 1.5.7

Published Jun 07, 2024

KEV Added Oct 24, 2024

Tracked Since Feb 18, 2026