{"id":"USN-6848-1","summary":"roundcube vulnerabilities","details":"Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly\nhandled certain SVG images. A remote attacker could possibly use this\nissue to load arbitrary JavaScript code. This issue only affected Ubuntu\n18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10.\n(CVE-2023-5631)\n\nRene Rehme discovered that Roundcube incorrectly handled certain headers.\nA remote attacker could possibly use this issue to load arbitrary\nJavaScript code. This issue only affected Ubuntu 20.04 LTS,\nUbuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-47272)\n\nValentin T. and Lutz Wolf discovered that Roundcube incorrectly handled\ncertain SVG images. A remote attacker could possibly use this issue to\nload arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS,\nUbuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2024-37383)\n\nHuy Nguyễn Phạm Nhật discovered that Roundcube incorrectly handled\ncertain fields in user preferences. A remote attacker could possibly use\nthis issue to load arbitrary JavaScript code. (CVE-2024-37384)\n","modified":"2026-04-27T17:17:14.683371Z","published":"2024-06-25T18:16:54Z","related":["UBUNTU-CVE-2023-47272","UBUNTU-CVE-2023-5631","UBUNTU-CVE-2024-37383","UBUNTU-CVE-2024-37384"],"upstream":["CVE-2023-47272","CVE-2023-5631","CVE-2024-37383","CVE-2024-37384","UBUNTU-CVE-2023-47272","UBUNTU-CVE-2023-5631","UBUNTU-CVE-2024-37383","UBUNTU-CVE-2024-37384"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-6848-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-5631"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-47272"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-37383"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-37384"},{"type":"REPORT","url":"https://launchpad.net/bugs/2043396"}],"affected":[{"package":{"name":"roundcube","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/roundcube@1.2~beta+dfsg.1-0ubuntu1+esm4?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2~beta+dfsg.1-0ubuntu1+esm4"}]}],"versions":["1.1.1+dfsg.1-2","1.1.2+dfsg.1-5","1.1.3+dfsg.1-1","1.1.4+dfsg.1-1","1.2~beta+dfsg.1-0ubuntu1","1.2~beta+dfsg.1-0ubuntu1+esm1","1.2~beta+dfsg.1-0ubuntu1+esm2","1.2~beta+dfsg.1-0ubuntu1+esm3"],"ecosystem_specific":{"binaries":[{"binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm4","binary_name":"roundcube"},{"binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm4","binary_name":"roundcube-core"},{"binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm4","binary_name":"roundcube-mysql"},{"binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm4","binary_name":"roundcube-pgsql"},{"binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm4","binary_name":"roundcube-plugins"},{"binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm4","binary_name":"roundcube-sqlite3"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:16.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-37384"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6848-1.json"}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/roundcube@1.3.6+dfsg.1-1ubuntu0.1~esm4?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.3.6+dfsg.1-1ubuntu0.1~esm4"}]}],"versions":["1.3.0+dfsg.1-1","1.3.1+dfsg.1-1","1.3.3+dfsg.1-1","1.3.3+dfsg.1-2","1.3.6+dfsg.1-1","1.3.6+dfsg.1-1ubuntu0.1~esm1","1.3.6+dfsg.1-1ubuntu0.1~esm2","1.3.6+dfsg.1-1ubuntu0.1~esm3"],"ecosystem_specific":{"binaries":[{"binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm4","binary_name":"roundcube"},{"binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm4","binary_name":"roundcube-core"},{"binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm4","binary_name":"roundcube-mysql"},{"binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm4","binary_name":"roundcube-pgsql"},{"binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm4","binary_name":"roundcube-plugins"},{"binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm4","binary_name":"roundcube-sqlite3"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:18.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"high","type":"Ubuntu"}],"id":"CVE-2023-5631"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"high","type":"Ubuntu"}],"id":"CVE-2024-37383"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-37384"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6848-1.json"}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/roundcube@1.4.3+dfsg.1-1ubuntu0.1~esm4?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.3+dfsg.1-1ubuntu0.1~esm4"}]}],"versions":["1.3.8+dfsg.1-2","1.3.10+dfsg.1-1","1.4.1+dfsg.1-2","1.4.2+dfsg.1-1","1.4.2+dfsg.1-2","1.4.3+dfsg.1-1","1.4.3+dfsg.1-1ubuntu0.1~esm1","1.4.3+dfsg.1-1ubuntu0.1~esm2","1.4.3+dfsg.1-1ubuntu0.1~esm3"],"ecosystem_specific":{"binaries":[{"binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm4","binary_name":"roundcube"},{"binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm4","binary_name":"roundcube-core"},{"binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm4","binary_name":"roundcube-mysql"},{"binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm4","binary_name":"roundcube-pgsql"},{"binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm4","binary_name":"roundcube-plugins"},{"binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm4","binary_name":"roundcube-sqlite3"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:20.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"high","type":"Ubuntu"}],"id":"CVE-2023-5631"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-47272"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"high","type":"Ubuntu"}],"id":"CVE-2024-37383"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-37384"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6848-1.json"}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/roundcube@1.5.0+dfsg.1-2ubuntu0.1~esm3?arch=source&distro=esm-apps/jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5.0+dfsg.1-2ubuntu0.1~esm3"}]}],"versions":["1.4.11+dfsg.1-4","1.5.0+dfsg.1-2","1.5.0+dfsg.1-2ubuntu0.1~esm1","1.5.0+dfsg.1-2ubuntu0.1~esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm3","binary_name":"roundcube"},{"binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm3","binary_name":"roundcube-core"},{"binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm3","binary_name":"roundcube-mysql"},{"binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm3","binary_name":"roundcube-pgsql"},{"binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm3","binary_name":"roundcube-plugins"},{"binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm3","binary_name":"roundcube-sqlite3"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:22.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"high","type":"Ubuntu"}],"id":"CVE-2023-5631"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-47272"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"high","type":"Ubuntu"}],"id":"CVE-2024-37383"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-37384"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6848-1.json"}}],"schema_version":"1.7.5"}