Exploit for Roundcube 1.6.6 Cross Site Scripting CVE-2024-37383

Name: Exploit for Roundcube 1.6.6 Cross Site Scripting CVE-2024-37383
Rating: 5 (98 reviews)
2025-04-11 | CVSS 6.1
## https://sploitus.com/exploit?id=PACKETSTORM:190436
# Exploit Title:  Roundcube mail server exploit for CVE-2024-37383 (Stored XSS)
    # Google Dork:
    # Exploit Author: AmirZargham
    # Vendor Homepage:   Roundcube - Free and Open Source Webmail Software
    # Software Link:     Releases · roundcube/roundcubemail
    # Version: Roundcube client version earlier than 1.5.6 or from 1.6 to 1.6.6.    
    # Tested on: firefox,chrome
    # CVE:  CVE-2024-37383
    # CWE: CWE-79 
    # Platform: MULTIPLE
    # Type: WebApps
    
    
    Description:
    
    
    The CVE-2024-37383 vulnerability was discovered in the Roundcube Webmail email client. This is a stored XSS vulnerability that allows an attacker to execute JavaScript code on the user's page. To exploit the vulnerability, all attackers need to do is open a malicious email using a Roundcube client version earlier than 1.5.6 or from 1.6 to 1.6.6. 
    
    
    Usage Info:1 - open the Roundcube_mail_server_exploit_for_CVE-2024-37383.txt and export js file.2 - Change the web address of the original email (target) and the URL of the receiving server (attacker server).3 - You can put the code in file SVG <animate> tag and send it to the server. (can use this https://github.com/bartfroklage/CVE-2024-37383-POC)4 - After the victim clicks, all emails in the mailbox will be sent to your collaborator server.
    
    
    This code automates the process of retrieving all messages inbox from a Roundcube webmail server and forwarding that data to a specific collaborator server  endpoint.Here’s a step-by-step breakdown:
    -
    Setup URLs:
    
    - The main webmail URL (target) and the receiving server URL (attackerserver) are defined as variables at the beginning for easy configuration.
    
    -
    Get Total Page Count:
    
    - The getPageCount function sends a GET request to the main webmail URL to fetch metadata, including the total number of pages (pagecount).
    - If pagecount is found, it proceeds to loop through each page.
    
    -
    Fetch Message IDs from All Pages:
    
    - For each page from 1 to pagecount, it constructs a paginated URL to request that page.
    - Each page’s response is checked for instances of add_message_row(NUMBER) using regex, extracting message IDs from each instance and collecting all IDs in a single list.
    
    -
    Retrieve Each Message's Content:
    
    - For each message ID, the code constructs a URL to request detailed data about that message.
    - It sends a GET request for each message ID URL, receiving the full response HTML.
    
    -
    Extract and Clean Message Data:
    
    - Within each message response, it uses regex to capture the <title> (message title) and main message content.
    - Any HTML tags are stripped from the message content to keep only the plain text.
    
    -
    Send the Data to the Server:
    
    - For each extracted message, a POST request is made to the server endpoint with the title and cleaned message content, URL-encoded for proper transmission.