CVE-2023-5631 : Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows store

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

Published 2023-10-18 15:15:09

Updated 2025-03-19 20:57:50

Source ESET

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2023-5631

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 12.0
cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 39
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
Matching versions
Roundcube » Webmail
Versions before (<) 1.4.15
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
Matching versions
Roundcube » Webmail
Versions from including (>=) 1.5.0 and before (<) 1.5.5
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
Matching versions
Roundcube » Webmail
Versions from including (>=) 1.6.0 and before (<) 1.6.4
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
Matching versions

CVE-2023-5631 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability

CISA required action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA description:

Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that allows a remote attacker to run malicious JavaScript code.

Notes:

https://roundcube.net/news/2023/10/16/security-update-1.6.4-released, https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15 ; https://nvd.nist.gov/vuln/detail/CVE-2023-5631

Added on 2023-10-26 Action due date 2023-11-16

Exploit prediction scoring system (EPSS) score for CVE-2023-5631

EPSS FAQ

90.74%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-5631

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	ESET
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2023-5631

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- nvd@nist.gov (Primary)
- security@eset.com (Secondary)

References for CVE-2023-5631

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079

#1054079 - roundcube: CVE-2023-5631: cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages - Debian Bug report logs
Mailing List;Patch
https://roundcube.net/news/2023/10/16/security-update-1.6.4-released

Security update 1.6.4 released
Release Notes

CVEs referencing this url
https://github.com/roundcube/roundcubemail/issues/9168

XSS with svg use tag on RC 1.5.3 · Issue #9168 · roundcube/roundcubemail · GitHub
Exploit;Issue Tracking

CVEs referencing this url
https://www.debian.org/security/2023/dsa-5531

Debian -- Security Information -- DSA-5531-1 roundcube
Mailing List
https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15

Security updates 1.5.5 and 1.4.15 released
Release Notes

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2023/11/01/1

oss-security - CVE-2023-5631: XSS vulnerability in Roundcube webmail
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LK67Q46OIEGJCRQUBHKLH3IIJTBNGGX4/

[SECURITY] Fedora 39 Update: roundcubemail-1.6.4-1.fc39 - package-announce - Fedora Mailing-Lists
Mailing List
https://github.com/roundcube/roundcubemail/commit/6ee6e7ae301e165e2b2cb703edf75552e5376613

Fix cross-site scripting (XSS) vulnerability in handling of SVG in HT… · roundcube/roundcubemail@6ee6e7a · GitHub
Patch
http://www.openwall.com/lists/oss-security/2023/11/17/2

oss-security - CVE-2023-37580 (and others): XSS vulnerabilities in Zimbra Collaboration Suite
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/roundcube/roundcubemail/releases/tag/1.5.5

Release Roundcube Webmail 1.5.5 · roundcube/roundcubemail · GitHub
Release Notes
https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d

Fix cross-site scripting (XSS) vulnerability in handling of SVG in HT… · roundcube/roundcubemail@41756cc · GitHub
Patch

CVEs referencing this url
https://github.com/roundcube/roundcubemail/releases/tag/1.6.4

Release Roundcube Webmail 1.6.4 · roundcube/roundcubemail · GitHub
Release Notes
https://github.com/roundcube/roundcubemail/releases/tag/1.4.15

Release Roundcube Webmail 1.4.15 · roundcube/roundcubemail · GitHub
Release Notes
https://lists.debian.org/debian-lts-announce/2023/10/msg00035.html

[SECURITY] [DLA 3630-1] roundcube security update
Mailing List;Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/11/01/3

oss-security - Re: CVE-2023-5631: XSS vulnerability in Roundcube webmail
Mailing List;Third Party Advisory