CVE-2023-5631 vulnerability in Roundcube and Other Products
Published on October 18, 2023

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

NVD

Known Exploited Vulnerability

This Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that allows a remote attacker to run malicious JavaScript code.

The following remediation steps are recommended / required by November 16, 2023: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2023-5631 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.3 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2023-5631 has been classified to as a XSS vulnerability or weakness.

Products Associated with CVE-2023-5631

You can be notified by stack.watch whenever vulnerabilities like CVE-2023-5631 are published in these products:

Roundcube Webmail

Debian Linux

Fedora Project Fedora

Canonical Ubuntu Linux

What versions are vulnerable to CVE-2023-5631?

Roundcube Webmail Version 1.6.0 Fixed in Version 1.6.4
Roundcube Webmail Version 1.5.0 Fixed in Version 1.5.5
Roundcube Webmail Fixed in Version 1.4.15