CVE-2023-5631
published 2023-10-18CVE-2023-5631: Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of…
PriorityP180medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-11-16
Exploited in the wild
EPSS
73.45%
99.4th percentile
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker
to load arbitrary JavaScript code.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | roundcube | < roundcube 1.6.4+dfsg-1~deb12u1 (bookworm) | roundcube 1.6.4+dfsg-1~deb12u1 (bookworm) |
| fedoraproject | fedora | — | — |
| roundcube | roundcubemail | >= 1.4.0 < 1.5.14 | 1.5.14 |
| roundcube | roundcubemail | >= 1.5.0 < 1.5.4 | 1.5.4 |
| roundcube | roundcubemail | >= 1.6.0 < 1.6.3 | 1.6.3 |
| roundcube | webmail | < 1.4.15 | 1.4.15 |
| roundcube | webmail | >= 1.5.0 < 1.5.5 | 1.5.5 |
| roundcube | webmail | >= 1.6.0 < 1.6.4 | 1.6.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Phishing emails impersonating the Outlook Team were used as the delivery vector for the CVE-2023-5631 exploit; inspect inbound email headers and sender display names for Outlook Team impersonation. ↗
- →The final JavaScript payload lists folders/emails and exfiltrates them to a C2 server; monitor Roundcube webmail for anomalous outbound HTTP requests originating from the browser session after email open events. ↗
- →Attackers inject a fake login form with fields rcmloginuser and rcmloginpwd into the Roundcube HTML page to harvest credentials; monitor DOM for unauthorized injection of these field names. ↗
- →The ManageSieve plugin is abused post-exploitation to exfiltrate messages; audit ManageSieve plugin activity and sieve rule creation for unauthorized rules. ↗
- →Exploitation observed in the wild as a zero-day starting at least October 11, 2023; treat any unpatched Roundcube instance (before 1.4.15, 1.5.5, or 1.6.4) as actively at risk. ↗
- ·The vulnerable code path is in program/lib/Roundcube/rcube_washtml.php; the flaw involves improper handling of SVG elements that bypasses HTML sanitization checks. ↗
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vulncheck6.1MEDIUM
cisa5.4MEDIUM
vendor_debian6.1MEDIUM
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Roundcube vulnerabilities
vendor_ubuntu·2024-06-25·CVSS 6.1
CVE-2024-37383 [MEDIUM] Roundcube vulnerabilities
Title: Roundcube vulnerabilities
Summary: Roundcube could be made to crash or run programs if it received specially
crafted input.
Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly
handled certain SVG images. A remote attacker could possibly use this
issue to load arbitrary JavaScript code. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10.
(CVE-2023-5631)
Rene Rehme discovered that Roundcube incorrectly handled certain headers.
A remote attacker could possibly use this issue to load arbitrary
JavaScript code. This issue only affected Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-47272)
Valentin T. and Lutz Wolf discovered that Roundcube incorrectly handled
certain SVG images. A remote attacker could pos
CISA
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
cisa·2023-10-26·CVSS 5.4
CVE-2023-5631 [MEDIUM] CWE-79 Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
Vulnerability: Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
Affected: Roundcube Webmail
Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that allows a remote attacker to run malicious JavaScript code.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://roundcube.net/news/2023/10/16/security-update-1.6.4-released, https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15 ; https://nvd.nist.gov/vuln/detail/CVE-2023-5631
Remediation Due Date: 2023-11-16
Debian
CVE-2023-5631: roundcube - Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows store...
vendor_debian·2023·CVSS 6.1
CVE-2023-5631 [MEDIUM] CVE-2023-5631: roundcube - Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows store...
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.
Scope: local
bookworm: resolved (fixed in 1.6.4+dfsg-1~deb12u1)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1~deb11u1)
forky: resolved (fixed in 1.6.4+dfsg-1)
sid: resolved (fixed in 1.6.4+dfsg-1)
trixie: resolved (fixed in 1.6.4+dfsg-1)
OSV
roundcube vulnerabilities
osv·2024-06-25·CVSS 6.1
CVE-2023-5631 [MEDIUM] roundcube vulnerabilities
roundcube vulnerabilities
Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly
handled certain SVG images. A remote attacker could possibly use this
issue to load arbitrary JavaScript code. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10.
(CVE-2023-5631)
Rene Rehme discovered that Roundcube incorrectly handled certain headers.
A remote attacker could possibly use this issue to load arbitrary
JavaScript code. This issue only affected Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-47272)
Valentin T. and Lutz Wolf discovered that Roundcube incorrectly handled
certain SVG images. A remote attacker could possibly use this issue to
load arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS,
Ubuntu
OSV
CVE-2023-5631: Roundcube before 1
osv·2023-10-18·CVSS 5.4
CVE-2023-5631 [MEDIUM] CVE-2023-5631: Roundcube before 1
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.
GHSA
GHSA-qf8f-27cp-gw76: Roundcube before 1
ghsa_unreviewed·2023-10-18
CVE-2023-5631 [MEDIUM] CWE-79 GHSA-qf8f-27cp-gw76: Roundcube before 1
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker
to load arbitrary JavaScript code.
VulnCheck
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
vulncheck·2023·CVSS 6.1
CVE-2023-5631 [MEDIUM] CWE-79 Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that allows a remote attacker to run malicious JavaScript code.
Affected: Roundcube Roundcube Webmail
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://go.recordedfuture.com/hubfs/reports/cta-2024-0217.pdf; https://www.rewterz.com/rewterz-news/rewterz-threat-alert-russia-linked-winter-vivern-apt-leverages-roundcube-vulnerabiliti
Suricata
ET WEB_SPECIFIC_APPS Roundcube rcube_washtml.php SVG Cross-Site Scripting (CVE-2023-5631)
suricata·2025-01-10·CVSS 6.1
CVE-2023-5631 [MEDIUM] ET WEB_SPECIFIC_APPS Roundcube rcube_washtml.php SVG Cross-Site Scripting (CVE-2023-5631)
ET WEB_SPECIFIC_APPS Roundcube rcube_washtml.php SVG Cross-Site Scripting (CVE-2023-5631)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Roundcube rcube_washtml.php SVG Cross-Site Scripting (CVE-2023-5631)"; flow:established,to_client; http.response_body; content:"|3c|svg|3e 3c|use|20|href|3d 22|data:image/s"; fast_pattern; nocase; content:"vg+xml|3b|base64|2c|"; distance:0; base64_decode:bytes 200, offset 0, relative; base64_data; pcre:"/.+(script|onerror|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/; reference:cve,2023-5631; classtype:web-application-
Suricata
ET WEB_SPECIFIC_APPS Roundcube Webmail XSS Attempt (CVE-2023-5631)
suricata·2023-11-08·CVSS 6.1
CVE-2023-5631 [MEDIUM] ET WEB_SPECIFIC_APPS Roundcube Webmail XSS Attempt (CVE-2023-5631)
ET WEB_SPECIFIC_APPS Roundcube Webmail XSS Attempt (CVE-2023-5631)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Roundcube Webmail XSS Attempt (CVE-2023-5631)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:""; content:""; distance:0; reference:url,roundcube.net/news/2023/10/16/security-update-1.6.4-released; reference:url,roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15; reference:cve,2023-5631; classtype:attempted-user; sid:2049139; rev:1; metadata:affected_product Roundcube, attack_target Client_Endpoint, created_at 2023_11_08, cve CVE_2023_5631, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag XSS, tag CISA_KEV, updated_at 2023_11_08;)
No public exploits indexed.
Bleepingcomputer
CISA: Recently patched RoundCube flaws now exploited in attacks
blogs_bleepingcomputer·2026-02-23·CVSS 9.9
[CRITICAL] CISA: Recently patched RoundCube flaws now exploited in attacks
## CISA: Recently patched RoundCube flaws now exploited in attacks
## Sergiu Gatlan
CISA flagged two Roundcube Webmail vulnerabilities as actively exploited in attacks and ordered U.S. federal agencies to patch them within three weeks.
Roundcube Webmail is a web-based email client that has been the default mail interface for the widely used cPanel web hosting control panel since 2008.
The first vulnerability tagged as actively abused by threat actors is a critical remote code execution flaw tracked as CVE-2025-49113 , which was first flagged as exploited days after it was patched in June 2025, when Internet security watchdog Shadowserver warned that over 84,000 vulnerable Roundcube webmail installations were vulnerable to attacks.
Roundcube patched the second one ( CVE-2025-68461 ) tw
Bleepingcomputer
Hackers exploit Roundcube webmail flaw to steal email, credentials
blogs_bleepingcomputer·2024-10-21·CVSS 6.1
[MEDIUM] Hackers exploit Roundcube webmail flaw to steal email, credentials
## Hackers exploit Roundcube webmail flaw to steal email, credentials
## Bill Toulas
Threat actors have been exploiting a vulnerability in the Roundcube Webmail client to target government organizations in the Commonwealth of Independent States (CIS) region, the successor of the former Soviet Union.
An attack was discovered by Russian cybersecurity company Positive Technologies in September, but the researchers determined that the threat actor activity had started in June.
Roundcube Webmail is an open-source, PHP-based webmail solution with support for plugins to extend its functionality, that is popular with commercial and government entities.
The threat actor exploited a medium-severity stored XSS (cross-site scripting) vulnerability identified as CVE-2024-37383, which allows the ex
Bleepingcomputer
CISA: Roundcube email server bug now exploited in attacks
blogs_bleepingcomputer·2024-02-12·CVSS 6.1
CVE-2023-43770 [MEDIUM] CISA: Roundcube email server bug now exploited in attacks
## CISA: Roundcube email server bug now exploited in attacks
## Sergiu Gatlan
CISA warns that a Roundcube email server vulnerability patched in September is now actively exploited in cross-site scripting (XSS) attacks.
The security flaw ( CVE-2023-43770 ) is a persistent cross-site scripting (XSS) bug that lets attackers access restricted information via plain/text messages maliciously crafted links in low-complexity attacks requiring user interaction.
The vulnerability impacts Roundcube email servers running versions newer than 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3.
"We strongly recommend to update all productive installations of Roundcube 1.6.x with this new version," the Roundcube security team said when it released CVE-2023-43770 security updates five months ago.
Whi
Bleepingcomputer
Google: Hackers exploited Zimbra zero-day in attacks on govt orgs
blogs_bleepingcomputer·2023-11-17·CVSS 6.1
CVE-2023-37580 [MEDIUM] Google: Hackers exploited Zimbra zero-day in attacks on govt orgs
## Google: Hackers exploited Zimbra zero-day in attacks on govt orgs
## Bill Toulas
Google's Threat Analysis Group (TAG) has discovered that threat actors exploited a zero-day vulnerability in Zimbra Collaboration email server to steal sensitive data from government systems in multiple countries.
Hackers leveraged a medium-severity security issue now identified as CVE-2023-37580 since June 29, nearly a month before the vendor addressed it in version 8.8.15 Patch 41of the software on July 25.
The flaw is an XSS (cross-site scripting) issue present in the Zimbra Classic Web Client.
## Attack and response timeline
According to Google's threat analysts, the threat actors exploited the vulnerability on government systems in Greece, Moldova, Tunisia, Vietnam, and Pakistan to steal email da
Google Tag
Zimbra 0-day used to target international government organizations
blogs_google_tag·2023-11-16·CVSS 6.1
CVE-2023-37580 [MEDIUM] Zimbra 0-day used to target international government organizations
Threat Analysis Group
## Zimbra 0-day used to target international government organizations
Nov 16, 2023
In June 2023, Google’s Threat Analysis Group (TAG) discovered an in-the-wild 0-day exploit targeting Zimbra Collaboration, an email server many organizations use to host their email. Since discovering the 0-day, now patched as CVE-2023-37580 , TAG has observed four different groups exploiting the same bug to steal email data, user credentials, and authentication tokens. Most of this activity occurred after the initial fix became public on Github. To ensure protection against these types of exploits, TAG urges users and organizations to keep software fully up-to-date and apply security updates as soon as they become available.
## 0-day discovery, hotfix and patch
TAG first discovere
Bleepingcomputer
European govt email servers hacked using Roundcube zero-day
blogs_bleepingcomputer·2023-10-25·CVSS 6.1
CVE-2023-5631 [MEDIUM] European govt email servers hacked using Roundcube zero-day
## European govt email servers hacked using Roundcube zero-day
## Sergiu Gatlan
The Winter Vivern Russian hacking group has been exploiting a Roundcube Webmail zero-day in attacks targeting European government entities and think tanks since at least October 11.
The Roundcube development team released security updates fixing the Stored Cross-Site Scripting (XSS) vulnerability ( CVE-2023-5631 ) reported by ESET researchers on October 16.
These security patches were pushed five days after the Slovak cybersecurity company detected Russian threat actors using the zero-day in real-world attacks.
According to ESET's findings, the cyberespionage group (also known as TA473) used HTML email messages containing carefully crafted SVG documents to remotely inject arbitrary JavaScript code.
Their
http://www.openwall.com/lists/oss-security/2023/11/01/1http://www.openwall.com/lists/oss-security/2023/11/01/3http://www.openwall.com/lists/oss-security/2023/11/17/2https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31dhttps://github.com/roundcube/roundcubemail/commit/6ee6e7ae301e165e2b2cb703edf75552e5376613https://github.com/roundcube/roundcubemail/issues/9168https://github.com/roundcube/roundcubemail/releases/tag/1.4.15https://github.com/roundcube/roundcubemail/releases/tag/1.5.5https://github.com/roundcube/roundcubemail/releases/tag/1.6.4https://lists.debian.org/debian-lts-announce/2023/10/msg00035.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/LK67Q46OIEGJCRQUBHKLH3IIJTBNGGX4/https://roundcube.net/news/2023/10/16/security-update-1.6.4-releasedhttps://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15https://www.debian.org/security/2023/dsa-5531http://www.openwall.com/lists/oss-security/2023/11/01/1http://www.openwall.com/lists/oss-security/2023/11/01/3http://www.openwall.com/lists/oss-security/2023/11/17/2https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31dhttps://github.com/roundcube/roundcubemail/commit/6ee6e7ae301e165e2b2cb703edf75552e5376613https://github.com/roundcube/roundcubemail/issues/9168https://github.com/roundcube/roundcubemail/releases/tag/1.4.15https://github.com/roundcube/roundcubemail/releases/tag/1.5.5https://github.com/roundcube/roundcubemail/releases/tag/1.6.4https://lists.debian.org/debian-lts-announce/2023/10/msg00035.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/LK67Q46OIEGJCRQUBHKLH3IIJTBNGGX4/https://roundcube.net/news/2023/10/16/security-update-1.6.4-releasedhttps://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15https://www.debian.org/security/2023/dsa-5531https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-5631
2023-10-18
Published
2023-10-26
Added to CISA KEV
Exploited in the wild