CVE-2024-37383 — RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability

2024-10-24 • CISA Known Exploited Vulnerability

[event] RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code.

> AFFECTED SOFTWARE

Field	Value
Vendor	Roundcube
Product	Webmail
CWE	CWE-79
CVE ID	CVE-2024-37383
Date Added	2024-10-24
Due Date	2024-11-14
Ransomware Campaign	Unknown

> MITIGATION

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Due Date: 2024-11-14

> REFERENCES

[1] https://github.com/roundcube/roundcubemail/releases/tag/1.5.7,
[2] https://github.com/roundcube/roundcubemail/releases/tag/1.6.7
[3] https://nvd.nist.gov/vuln/detail/CVE-2024-37383