CVE-2023-5631
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
YesDecision
Descriptions
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker
to load arbitrary JavaScript code.
Roundcube anterior a 1.4.15, 1.5.x anterior a 1.5.5 y 1.6.x anterior a 1.6.4 permiten almacenar XSS a través de un mensaje de correo electrónico HTML con un documento SVG manipulado debido al comportamiento de program/lib/Roundcube/rcube_washtml.php. Esto podría permitir que un atacante remoto cargue código JavaScript arbitrario.
Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that allows a remote attacker to run malicious JavaScript code.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-10-18 CVE Reserved
- 2023-10-18 CVE Published
- 2023-10-26 Exploited in Wild
- 2023-11-16 KEV Due Date
- 2024-04-05 First Exploit
- 2024-08-02 CVE Updated
- 2024-10-24 EPSS Updated
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
- CAPEC-592: Stored XSS
References (16)
URL | Date | SRC |
---|---|---|
https://github.com/soreta2/CVE-2023-5631-POC | 2024-04-05 | |
https://github.com/roundcube/roundcubemail/issues/9168 | 2024-08-02 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | < 1.4.15 Search vendor "Roundcube" for product "Webmail" and version " < 1.4.15" | - |
Affected
| ||||||
Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | >= 1.5.0 < 1.5.5 Search vendor "Roundcube" for product "Webmail" and version " >= 1.5.0 < 1.5.5" | - |
Affected
| ||||||
Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | >= 1.6.0 < 1.6.4 Search vendor "Roundcube" for product "Webmail" and version " >= 1.6.0 < 1.6.4" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 12.0 Search vendor "Debian" for product "Debian Linux" and version "12.0" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 39 Search vendor "Fedoraproject" for product "Fedora" and version "39" | - |
Affected
|