Roundcube prior to 1.4.15, 1.5.x prior to 1.5.5, and 1.6.x prior to 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
roundcube webmail |
||
debian debian linux 10.0 |
||
debian debian linux 11.0 |
||
debian debian linux 12.0 |
||
fedoraproject fedora 39 |
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources With this zero-day, researchers say the 'scrappy' group is stepping up its operations
The Winter Vivern cyber spy group is exploiting an XSS zero-day vulnerability in attacks on European governments. Researchers at ESET, who discovered the activity, didn't name the specific government entities it targeted but given Winter Vivern's nexus to Russia and Belarus, they are likely to be adversaries of those countries. Tracked as CVE-2023-5631, the zero-day was found in the free and open-source webmail client Roundcube. ESET reported the vulnerability to the Roundcube team on October 12...