Roundcube Webmail DC-2024-37383: XSS via SVG animate attributes

2024-11-18

:

Roundcube Webmail versions before 1.5.7 and 1.6.7 are vulnerable to Cross-Site Scripting (XSS) attacks due to improper handling of SVG `animate` attributes. A malicious actor could exploit this vulnerability to inject arbitrary JavaScript code into a crafted email, potentially stealing login credentials or performing other malicious actions within the victim’s browser context.

Vulnerability Information:

Platform: Roundcube Webmail
Version: Before 1.5.7 and 1.6.x before 1.6.7
Vulnerability: XSS via SVG animate attributes
Severity: Medium (CVSS score: 6.1)
Date: May 19, 2024 (patched versions released)

What Undercode Says:

This vulnerability highlights the importance of keeping webmail software up to date. Users of Roundcube Webmail should upgrade to versions 1.5.7 or 1.6.7 or later to mitigate the risk of XSS attacks. Additionally, email administrators should be wary of suspicious emails, especially those containing SVG elements.

References:

Reported By: Cve.org
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top