CVE-2023-5631
MEDIUM KEVRoundcube Webmail < 1.4.15, 1.5.x < 1.5.5, 1.6.x < 1.6.4 - Stored Cross-Site Scripting via SVG in HTML Email
Title source: llmExploitation Summary
CVE-2023-5631 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 26, 2023.
Description
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.
References (16)
Core 16
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/11/01/1
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/11/01/3
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/11/17/2
Mailing List, Patch
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079
Exploit, Issue Tracking
https://github.com/roundcube/roundcubemail/issues/9168
Mailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00035.html
Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]/message/LK67Q46OIEGJCRQUBHKLH3IIJTBNGGX4/
Mailing List
https://www.debian.org/security/2023/dsa-5531
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-5631
Scores
CVSS v3
6.1
EPSS
0.8324
EPSS Percentile
99.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
no
Technical Impact
total
Details
CISA KEV
2023-10-26
VulnCheck KEV
2023-10-25
InTheWild.io
2023-10-26
ENISA EUVD
EUVD-2023-57924
CWE
CWE-79
Status
published
Products (5)
debian/debian_linux
10.0
debian/debian_linux
11.0
debian/debian_linux
12.0
fedoraproject/fedora
39
roundcube/webmail
< 1.4.15
Published
Oct 18, 2023
KEV Added
Oct 26, 2023
Tracked Since
Feb 18, 2026