CVE-2024-37383
published 2024-06-07CVE-2024-37383: Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
PriorityP183medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-11-14
Exploited in the wild
EPSS
73.30%
99.4th percentile
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | roundcube | < roundcube 1.6.5+dfsg-1+deb12u2 (bookworm) | roundcube 1.6.5+dfsg-1+deb12u2 (bookworm) |
| roundcube | webmail | < 1.5.7 | 1.5.7 |
| roundcube | webmail | >= 1.6.0 < 1.6.7 | 1.6.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor Roundcube HTML pages for unauthorized injection of login form fields named 'rcmloginuser' and 'rcmloginpwd', which indicate active credential harvesting via this XSS. ↗
- →Monitor for use of the ManageSieve plugin in Roundcube in conjunction with suspicious activity, as attackers leverage it for mail exfiltration post-exploitation. ↗
- →Inspect inbound emails for SVG animate attributes containing embedded JavaScript — the specific HTML construct that triggers the stored XSS in vulnerable Roundcube versions. ↗
- ·The exploit is triggered only when a victim opens the malicious email in a vulnerable Roundcube version; no user interaction beyond opening the email is required for the XSS to fire. ↗
- ·Affected versions are Roundcube earlier than 1.5.7 and 1.6.x before 1.6.7; patched releases are 1.5.7 and 1.6.7 (May 19). Detection rules should scope to these version ranges. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vulncheck6.1MEDIUM
cisa6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability
cisa·2024-10-24·CVSS 6.1
CVE-2024-37383 [MEDIUM] CWE-79 RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability
Vulnerability: RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability
Affected: Roundcube Webmail
RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/roundcube/roundcubemail/releases/tag/1.5.7, https://github.com/roundcube/roundcubemail/releases/tag/1.6.7 ; https://nvd.nist.gov/vuln/detail/CVE-2024-37383
Remediation Due Date: 2024-11-14
Ubuntu
Roundcube vulnerabilities
vendor_ubuntu·2024-06-25·CVSS 6.1
CVE-2024-37383 [MEDIUM] Roundcube vulnerabilities
Title: Roundcube vulnerabilities
Summary: Roundcube could be made to crash or run programs if it received specially
crafted input.
Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly
handled certain SVG images. A remote attacker could possibly use this
issue to load arbitrary JavaScript code. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10.
(CVE-2023-5631)
Rene Rehme discovered that Roundcube incorrectly handled certain headers.
A remote attacker could possibly use this issue to load arbitrary
JavaScript code. This issue only affected Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-47272)
Valentin T. and Lutz Wolf discovered that Roundcube incorrectly handled
certain SVG images. A remote attacker could pos
Red Hat
roundcubemail: allows XSS via SVG animate attributes
vendor_redhat·2024-06-07·CVSS 6.1
CVE-2024-37383 [MEDIUM] roundcubemail: allows XSS via SVG animate attributes
roundcubemail: allows XSS via SVG animate attributes
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
Statement: Red Hat has evaluated this vulnerability and its related components. No products are affected as the impacted component is not shipped in the Red Hat Product Portfolio.
Debian
CVE-2024-37383: roundcube - Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate...
vendor_debian·2024·CVSS 6.1
CVE-2024-37383 [MEDIUM] CVE-2024-37383: roundcube - Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate...
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
Scope: local
bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u2)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u3)
forky: resolved (fixed in 1.6.7+dfsg-1)
sid: resolved (fixed in 1.6.7+dfsg-1)
trixie: resolved (fixed in 1.6.7+dfsg-1)
OSV
roundcube vulnerabilities
osv·2024-06-25·CVSS 6.1
CVE-2023-5631 [MEDIUM] roundcube vulnerabilities
roundcube vulnerabilities
Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly
handled certain SVG images. A remote attacker could possibly use this
issue to load arbitrary JavaScript code. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10.
(CVE-2023-5631)
Rene Rehme discovered that Roundcube incorrectly handled certain headers.
A remote attacker could possibly use this issue to load arbitrary
JavaScript code. This issue only affected Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-47272)
Valentin T. and Lutz Wolf discovered that Roundcube incorrectly handled
certain SVG images. A remote attacker could possibly use this issue to
load arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS,
Ubuntu
GHSA
GHSA-8j3w-26mp-75xh: Roundcube Webmail before 1
ghsa_unreviewed·2024-06-07
CVE-2024-37383 [MEDIUM] CWE-79 GHSA-8j3w-26mp-75xh: Roundcube Webmail before 1
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
OSV
CVE-2024-37383: Roundcube Webmail before 1
osv·2024-06-07·CVSS 6.1
CVE-2024-37383 [MEDIUM] CVE-2024-37383: Roundcube Webmail before 1
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
VulnCheck
RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability
vulncheck·2024·CVSS 6.1
CVE-2024-37383 [MEDIUM] CWE-79 RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability
RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability
RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code.
Affected: Roundcube Roundcube Webmail
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.ptsecurity.com/ru-ru/research/analytics/dajdzhest-trendovyh-uyazvimostej-sentyabr-2024-goda/; https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/fake-attachment-roundcube-mail-server-attacks-exploit-cve-2024-37383-vulnerability; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.enisa.europa.eu/sit
Suricata
ET EXPLOIT Roundcube XSS via SVG Animate Attributes (CVE-2024-37383)
suricata·2026-01-08·CVSS 6.1
CVE-2024-37383 [MEDIUM] ET EXPLOIT Roundcube XSS via SVG Animate Attributes (CVE-2024-37383)
ET EXPLOIT Roundcube XSS via SVG Animate Attributes (CVE-2024-37383)
Rule: alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Roundcube XSS via SVG Animate Attributes (CVE-2024-37383)"; flow:established,to_server; content:"|3c|animate|20|"; content:"attributename|3d 22|href|20 22|"; fast_pattern; nocase; distance:0; content:"values|3d 22|"; nocase; pcre:"/^[^\x22]*?javascript|3a|/Ri"; reference:url,global.ptsecurity.com/en/research/pt-esc-threat-intelligence/fake-attachment-roundcube-mail-server-attacks-exploit-cve-2024-37383-vulnerability/; reference:cve,2024-37383; classtype:misc-attack; sid:2066622; rev:2; metadata:affected_product Roundcube, attack_target SMTP_Server, created_at 2026_01_08, cve CVE_2024_37383, deployment Perimeter, deployment Internal, confidence Hig
Checkpoint
28th October – Threat Intelligence Report
blogs_checkpoint·2024-10-28
CVE-2024-20481 28th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 28th October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 28th October, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Grupo Aeroportuario del Centro Norte (OMA), operator of 13 airports across Mexico, was hacked by the RansomHub ransomware gang, who threatened to leak 3TB of stolen data unless a ransom is paid. The attack disrupted terminal information screens and forced OMA to activate backup systems, with no reported material adverse e
Bleepingcomputer
Hackers exploit Roundcube webmail flaw to steal email, credentials
blogs_bleepingcomputer·2024-10-21·CVSS 6.1
[MEDIUM] Hackers exploit Roundcube webmail flaw to steal email, credentials
## Hackers exploit Roundcube webmail flaw to steal email, credentials
## Bill Toulas
Threat actors have been exploiting a vulnerability in the Roundcube Webmail client to target government organizations in the Commonwealth of Independent States (CIS) region, the successor of the former Soviet Union.
An attack was discovered by Russian cybersecurity company Positive Technologies in September, but the researchers determined that the threat actor activity had started in June.
Roundcube Webmail is an open-source, PHP-based webmail solution with support for plugins to extend its functionality, that is popular with commercial and government entities.
The threat actor exploited a medium-severity stored XSS (cross-site scripting) vulnerability identified as CVE-2024-37383, which allows the ex
https://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d87924ba1accf5242https://github.com/roundcube/roundcubemail/releases/tag/1.5.7https://github.com/roundcube/roundcubemail/releases/tag/1.6.7https://lists.debian.org/debian-lts-announce/2024/06/msg00008.htmlhttps://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d87924ba1accf5242https://github.com/roundcube/roundcubemail/releases/tag/1.5.7https://github.com/roundcube/roundcubemail/releases/tag/1.6.7https://lists.debian.org/debian-lts-announce/2024/06/msg00008.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-37383
2024-06-07
Published
2024-10-24
Added to CISA KEV
Exploited in the wild