CVE-2023-5631

Summary

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker

to load arbitrary JavaScript code.

Affected Software

VendorProductVersion RangeStatus
RoundcubeRoundcubemail1.6.0 < 1.6.3affected
RoundcubeRoundcubemail1.5.0 < 1.5.4affected
RoundcubeRoundcubemail1.4.0 < 1.5.14affected
RoundcubeRoundcubemail1.6.4unaffected
RoundcubeRoundcubemail1.5.5unaffected
RoundcubeRoundcubemail1.5.15unaffected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: no
    • Technical Impact: total

Additional References

References