Published: 18/10/2023 Updated: 22/12/2023

CVSS v3 Base Score: 5.4 | Impact Score: 2.7 | Exploitability Score: 2.3

VMScore: 0

Roundcube prior to 1.4.15, 1.5.x prior to 1.5.5, and 1.6.x prior to 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

Vulnerable Product	Search on Vulmon	Subscribe to Product
roundcube webmail
debian debian linux 10.0
debian debian linux 11.0
debian debian linux 12.0
fedoraproject fedora 39

Debian Bug report logs - #1054079 roundcube: CVE-2023-5631: cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages Package: src:roundcube; Maintainer for src:roundcube is Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-listsdebiannet>; Reported by: Guilhem Moulin <guilhem@debianorg&g ...

It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize HTML messages This would allow an attacker to load arbitrary JavaScript code For the oldstable distribution (bullseye), this problem has been fixed in version 1415+dfsg1-1~deb11u1 For the stable distribution (bookworm), this p ...

Check Point Reference: CPAI-2023-1347 Date Published: 6 Dec 2023 Severity: Medium ...

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 and allows XSS to be saved via an HTML email message with a crafted SVG document due to program/ behavior lib/Roundcube/rcube_washtml.php

CVE-2023-5631-POC Roundcube before 1415, 15x before 155, and 16x before 164 and allows XSS to be saved via an HTML email message with a crafted SVG document due to program/ behavior lib/Roundcube/rcube_washtmlphp satoshidiskcom/pay/CL7DDd

Pro-Russia group exploits Roundcube zero-day in attacks on European government emails

The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources With this zero-day, researchers say the 'scrappy' group is stepping up its operations

The Winter Vivern cyber spy group is exploiting an XSS zero-day vulnerability in attacks on European governments. Researchers at ESET, who discovered the activity, didn't name the specific government entities it targeted but given Winter Vivern's nexus to Russia and Belarus, they are likely to be adversaries of those countries. Tracked as CVE-2023-5631, the zero-day was found in the free and open-source webmail client Roundcube. ESET reported the vulnerability to the Roundcube team on October 12...

CWE-79 https://github.com/roundcube/roundcubemail/commit/6ee6e7ae301e165e2b2cb703edf75552e5376613 https://github.com/roundcube/roundcubemail/releases/tag/1.4.15 https://github.com/roundcube/roundcubemail/releases/tag/1.6.4 https://github.com/roundcube/roundcubemail/releases/tag/1.5.5 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079 https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d https://github.com/roundcube/roundcubemail/issues/9168 https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15 https://roundcube.net/news/2023/10/16/security-update-1.6.4-released https://www.debian.org/security/2023/dsa-5531 https://lists.debian.org/debian-lts-announce/2023/10/msg00035.html http://www.openwall.com/lists/oss-security/2023/11/01/1 http://www.openwall.com/lists/oss-security/2023/11/01/3 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LK67Q46OIEGJCRQUBHKLH3IIJTBNGGX4/http://www.openwall.com/lists/oss-security/2023/11/17/2 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079 https://nvd.nist.gov https://github.com/soreta2/CVE-2023-5631-POC https://www.debian.org/security/2023/dsa-5531

CVE-2023-5631

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

Recent Articles

References

Vulmon Search

About

Products

Connect