CVE-2024-37383

Warnung

EPSS 61.42%
Veröffentlicht 07.06.2024 04:15:30
Zuletzt bearbeitet 20.12.2024 16:52:05
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Roundcube ≫ Webmail Version < 1.5.7

Roundcube ≫ Webmail Version >= 1.6.0 < 1.6.7

Debian ≫ Debian Linux Version10.0

24.10.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability

Schwachstelle

RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	61.42%	0.983

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d87924ba1accf5242

Patch

https://github.com/roundcube/roundcubemail/releases/tag/1.5.7

Release Notes

https://github.com/roundcube/roundcubemail/releases/tag/1.6.7

Release Notes

https://lists.debian.org/debian-lts-announce/2024/06/msg00008.html

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2024-37383

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-37383

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-37383

EUVD