CVE-2023-46267

Name of the Vulnerable Software and Affected Versions Roundcube versions 1.4.x through 1.4.14 Roundcube versions 1.5.x through 1.5.4 Roundcube versions 1.6.x through 1.6.3

Description The issue allows for XSS via a text/html e-mail message containing an SVG image with a USE element. This is related to the wash uri function in rcube washtml.php. The exploitation occurs when a user receives a specially crafted email message.

Recommendations For Roundcube versions 1.4.x through 1.4.14, update to version 1.4.15 or later. For Roundcube versions 1.5.x through 1.5.4, update to version 1.5.5 or later. For Roundcube versions 1.6.x through 1.6.3, update to version 1.6.4 or later.