CVE-2024-37383

Name of the Vulnerable Software and Affected Versions: Roundcube Webmail versions prior to 1.5.7 and 1.6.x prior to 1.6.7

Description: The issue is related to a stored cross-site scripting vulnerability in the Roundcube webmail software, allowing an attacker to execute JavaScript code on the user's page. This vulnerability can be exploited by sending a malicious email to a user, which then executes the malicious code when the email is opened. The vulnerability is caused by improper filtering of SVG tags, specifically the animate attributes. It is reported that over 2.7 million services are potentially affected, and there have been real-world incidents where this issue was exploited to steal credentials and compromise emails.

Recommendations: For versions prior to 1.5.7 and 1.6.x prior to 1.6.7, update to version 1.5.7 or 1.6.7 or later to resolve the issue. As a temporary workaround, consider disabling the use of SVG elements in emails until a patch is applied. Restrict access to the vulnerable Roundcube webmail software to minimize the risk of exploitation. Avoid using the animate attributes in SVG elements in emails until the issue is resolved.