PT-2024-4656 · Unknown+4 · Roundcube Webmail+4

Huy Nguyễn Phạm Nhật

·

Published

2024-05-19

·

Updated

2025-06-23

·

CVE-2024-37384

CVSS v2.0

6.4

Medium

VectorAV:N/AC:L/Au:N/C:P/I:P/A:N
Name of the Vulnerable Software and Affected Versions: Roundcube Webmail versions 1.5.0 through 1.5.6 Roundcube Webmail versions 1.6.0 through 1.6.6
Description: The issue is related to insufficient protection of the web page structure in Roundcube Webmail, allowing a remote attacker to conduct cross-site scripting attacks using list columns from user preferences.
Recommendations: For Roundcube Webmail versions 1.5.0 through 1.5.6, update to version 1.5.7 or later. For Roundcube Webmail versions 1.6.0 through 1.6.6, update to version 1.6.7 or later. As a temporary workaround, consider restricting access to user preferences to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2025-8283
BDU:2024-05163
BDU:2024-05164
CVE-2024-37384
DLA-3835-1
DSA-5714-1
USN-6848-1

Affected Products

Alt Linux
Linuxmint
Red Os
Roundcube Webmail
Ubuntu