Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
Summary
| CVE | CVE-2023-5631 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-10-18 15:15:00 UTC |
| Updated | 2023-11-17 15:15:00 UTC |
| Description | Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. |
Risk And Classification
EPSS: 0.833380000 probability, percentile 0.992660000 (date 2026-04-02)
CISA KEV: Listed on 2023-10-26; due 2023-11-16; ransomware use Unknown
Problem Types: CWE-79
CISA Known Exploited Vulnerability
| Vendor | Roundcube |
|---|---|
| Product | Webmail |
| Name | Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability |
| Required Action | Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. |
| Notes | https://roundcube.net/news/2023/10/16/security-update-1.6.4-released, https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15 ; https://nvd.nist.gov/vuln/detail/CVE-2023-5631 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 11.0 | All | All | All |
| Operating System | Debian | Debian Linux | 12.0 | All | All | All |
| Application | Roundcube | Webmail | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| XSS with svg use tag on RC 1.5.3 · Issue #9168 · roundcube/roundcubemail · GitHub | MISC | github.com | |
| Release Roundcube Webmail 1.6.4 · roundcube/roundcubemail · GitHub | MISC | github.com | |
| Debian -- Security Information -- DSA-5531-1 roundcube | MISC | www.debian.org | |
| #1054079 - roundcube: CVE-2023-5631: cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages - Debian Bug report logs | MISC | bugs.debian.org | |
| oss-security - CVE-2023-5631: XSS vulnerability in Roundcube webmail | MISC | www.openwall.com | |
| Fix cross-site scripting (XSS) vulnerability in handling of SVG in HT… · roundcube/roundcubemail@6ee6e7a · GitHub | MISC | github.com | |
| Fix cross-site scripting (XSS) vulnerability in handling of SVG in HT… · roundcube/roundcubemail@41756cc · GitHub | MISC | github.com | |
| Security update 1.6.4 released | MISC | roundcube.net | |
| [SECURITY] [DLA 3630-1] roundcube security update | MISC | lists.debian.org | |
| Security updates 1.5.5 and 1.4.15 released | MISC | roundcube.net | |
| oss-security - CVE-2023-37580 (and others): XSS vulnerabilities in Zimbra Collaboration Suite | www.openwall.com | ||
| oss-security - Re: CVE-2023-5631: XSS vulnerability in Roundcube webmail | MISC | www.openwall.com | |
| Release Roundcube Webmail 1.5.5 · roundcube/roundcubemail · GitHub | MISC | github.com | |
| Release Roundcube Webmail 1.4.15 · roundcube/roundcubemail · GitHub | MISC | github.com | |
| [SECURITY] Fedora 39 Update: roundcubemail-1.6.4-1.fc39 - package-announce - Fedora Mailing-Lists | MISC | lists.fedoraproject.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.