6.1
CVE-2024-37383
- EPSS 73.3%
- Veröffentlicht 07.06.2024 04:15:30
- Zuletzt bearbeitet 31.10.2025 12:48:27
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
24.10.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog
RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability
SchwachstelleRoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code.
BeschreibungApply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 73.3% | 0.994 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d87924ba1accf5242
https://github.com/roundcube/roundcubemail/releases/tag/1.5.7
https://github.com/roundcube/roundcubemail/releases/tag/1.6.7
https://lists.debian.org/debian-lts-announce/2024/06/msg00008.html
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-37383