⚠ Actively exploited

Added to CISA KEV on 2023-10-26. Federal agencies required to patch by 2023-11-16. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2023-5631 — Cross-site Scripting in Roundcubemail

CWE-79 — Cross-site Scripting17 documents11 sources

Severity

5.4MEDIUMNVD

CNA6.1OSV6.1VulnCheck6.1

EPSS

83.4%

top 0.72%

CISA KEV

KEV

Added 2023-10-26

Due 2023-11-16

Exploit

Exploited in wild

Active exploitation observed

Affected products

Roundcube Roundcubemail Roundcube Webmail Debian Linux +1 more

Timeline

PublishedOct 18

KEV addedOct 26

KEV dueNov 16

Latest updateFeb 23

CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDroundcube/webmail1.5.0 — 1.5.5+2

▶CVEListV5roundcube/roundcubemail1.6.0 — 1.6.3+2

Also affects: Debian Linux 10.0, 11.0, 12.0, Fedora 39

Patches

Patch: bugs.debian.org ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

roundcube vulnerabilities↗2024-06-25

▶

OSV

CVE-2023-5631: Roundcube before 1↗2023-10-18

▶

CVEList

Stored XSS vulnerability in Roundcube↗2023-10-18

▶

GHSA

GHSA-qf8f-27cp-gw76: Roundcube before 1↗2023-10-18

▶

VulnCheck

Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability↗2023

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Roundcube rcube_washtml.php SVG Cross-Site Scripting (CVE-2023-5631)↗2025-01-10

▶

Suricata

ET WEB_SPECIFIC_APPS Roundcube Webmail XSS Attempt (CVE-2023-5631)↗2023-11-08

▶

📋Vendor Advisories

Ubuntu

Roundcube vulnerabilities↗2024-06-25

▶

CISA

Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability↗2023-10-26

▶

Debian

CVE-2023-5631: roundcube - Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows store...↗2023

▶

🕵️Threat Intelligence

Bleepingcomputer

CISA: Recently patched RoundCube flaws now exploited in attacks↗2026-02-23

▶

Bleepingcomputer

Hackers exploit Roundcube webmail flaw to steal email, credentials↗2024-10-21

▶

Bleepingcomputer

CISA: Roundcube email server bug now exploited in attacks↗2024-02-12

▶

Bleepingcomputer

Google: Hackers exploited Zimbra zero-day in attacks on govt orgs↗2023-11-17

▶

Google Tag

Zimbra 0-day used to target international government organizations↗2023-11-16

▶