Unknown · Roundcube Webmail · CVE-2024-37384
Name of the Vulnerable Software and Affected Versions:
Roundcube Webmail versions 1.5.0 through 1.5.6
Roundcube Webmail versions 1.6.0 through 1.6.6
Description:
The issue is related to insufficient protection of the web page structure in Roundcube Webmail, allowing a remote attacker to conduct cross-site scripting attacks using list columns from user preferences.
Recommendations:
For Roundcube Webmail versions 1.5.0 through 1.5.6, update to version 1.5.7 or later.
For Roundcube Webmail versions 1.6.0 through 1.6.6, update to version 1.6.7 or later.
As a temporary workaround, consider restricting access to user preferences to minimize the risk of exploitation.