CVE-2023-5631

Name of the Vulnerable Software and Affected Versions Roundcube versions 1.4.15 and earlier, 1.5.x before 1.5.5, and 1.6.x before 1.6.4

Description The issue allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. The vulnerability has been exploited in the wild by groups such as Winter Vivern to target government entities and steal emails. The attackers send a specially crafted email message that includes a malicious payload, which is then executed on the victim's computer.

Recommendations For versions 1.4.15 and earlier, update to version 1.4.15 or later. For versions 1.5.x before 1.5.5, update to version 1.5.5 or later. For versions 1.6.x before 1.6.4, update to version 1.6.4 or later. As a temporary workaround, consider disabling the rcube washtml.php function until a patch is available. Restrict access to the vulnerable program/lib/Roundcube module to minimize the risk of exploitation. Avoid using the rcube washtml.php behavior in the affected API endpoint until the issue is resolved.