Summary
Active network exploitation of vulnerability CVE-2024-37383 – already remedied by the vendor – affecting the Roundcube Webmail product, a popular open source e-mail manager, was detected.
Risk
Estimated impact of the vulnerability on the target community: HIGH/ORANGE (70.64/100)1.
Type
- Information Disclosure
- Privilege Escalation
Description
The exploitation of vulnerability CVE-2024-37383 – already remediated by the vendor – affecting the Roundcube Webmail product, a well-known open source e-mail manager, was recently detected.
This vulnerability – of the ‘Cross Site Scripting’ type and with a CVSS v3 score of 6.1 – could allow a remote malicious user to execute arbitrary JavaScript code, access sensitive information, and elevate privileges on target systems.
Affected products and versions
Roundcube Webmail
- 1.6.x, versions prior to 1.6.7
- All versions prior to 1.5.7
Mitigation Actions
If not already done, it is recommended that vulnerable products be updated according to the security bulletin in the References section.
Unique Vulnerability Indicators
References
https://github.com/roundcube/roundcubemail/releases
https://lists.debian.org/debian-lts-announce/2024/06/msg00008.html
1This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoCs, prevalence of the affected software/devices in the relevant community.
