cbcvebase.
CVE-2023-5631
published 2023-10-18

CVE-2023-5631: Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of…

PriorityP180medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-11-16
Exploited in the wild
EPSS
73.45%
99.4th percentile
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianroundcube< roundcube 1.6.4+dfsg-1~deb12u1 (bookworm)roundcube 1.6.4+dfsg-1~deb12u1 (bookworm)
fedoraprojectfedora
roundcuberoundcubemail>= 1.4.0 < 1.5.141.5.14
roundcuberoundcubemail>= 1.5.0 < 1.5.41.5.4
roundcuberoundcubemail>= 1.6.0 < 1.6.31.6.3
roundcubewebmail< 1.4.151.4.15
roundcubewebmail>= 1.5.0 < 1.5.51.5.5
roundcubewebmail>= 1.6.0 < 1.6.41.6.4

Detection & IOCsextracted from sources · hover to see the quote

  • Phishing emails impersonating the Outlook Team were used as the delivery vector for the CVE-2023-5631 exploit; inspect inbound email headers and sender display names for Outlook Team impersonation.
  • The final JavaScript payload lists folders/emails and exfiltrates them to a C2 server; monitor Roundcube webmail for anomalous outbound HTTP requests originating from the browser session after email open events.
  • Attackers inject a fake login form with fields rcmloginuser and rcmloginpwd into the Roundcube HTML page to harvest credentials; monitor DOM for unauthorized injection of these field names.
  • The ManageSieve plugin is abused post-exploitation to exfiltrate messages; audit ManageSieve plugin activity and sieve rule creation for unauthorized rules.
  • Exploitation observed in the wild as a zero-day starting at least October 11, 2023; treat any unpatched Roundcube instance (before 1.4.15, 1.5.5, or 1.6.4) as actively at risk.
  • ·The vulnerable code path is in program/lib/Roundcube/rcube_washtml.php; the flaw involves improper handling of SVG elements that bypasses HTML sanitization checks.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vulncheck6.1MEDIUM
cisa5.4MEDIUM
vendor_debian6.1MEDIUM
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.