Aleksander Machniak

**Name of the Vulnerable Software and Affected Versions** Roundcube versions 1.4.15 and earlier, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 **Description** The issue allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. The vulnerability has been exploited in the wild by groups such as Winter Vivern to target government entities and steal emails. The attackers send a specially crafted email message that includes a malicious payload, which is then executed on the victim's computer. **Recommendations** For versions 1.4.15 and earlier, update to version 1.4.15 or later. For versions 1.5.x before 1.5.5, update to version 1.5.5 or later. For versions 1.6.x before 1.6.4, update to version 1.6.4 or later. As a temporary workaround, consider disabling the `rcube washtml.php` function until a patch is available. Restrict access to the vulnerable `program/lib/Roundcube` module to minimize the risk of exploitation. Avoid using the `rcube washtml.php` behavior in the affected API endpoint until the issue is resolved.