anonhaven
Ad

CVE-2023-5631

MEDIUM CVSS 3.1: 5.4 EPSS 83.4% ACTIVE EXPLOIT
Updated Oct 30, 2025
Roundcube

CISA Known Exploited Vulnerability (KEV)

This vulnerability is actively exploited in the wild. Immediate patching is strongly recommended.

Due Date: Nov 16, 2023

Parameter Value
CVSS 5.4 (MEDIUM)
Affected Versions 1.5.0 — 1.6.4
Fixed In 1.4.15
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor Roundcube
Public PoC Yes

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

Vulnerable Products 7

Configuration From (including) Up to (excluding)
Roundcube Webmail
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
 1.4.15
Roundcube Webmail
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
 1.5.0 1.5.5
Roundcube Webmail
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
 1.6.0 1.6.4
Debian Debian_Linux
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Debian Debian_Linux
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Debian Debian_Linux
cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
Fedoraproject Fedora
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

References 16

http://www.openwall.com/lists/oss-security/2023/11/01/1
security@eset.com
http://www.openwall.com/lists/oss-security/2023/11/01/3
security@eset.com
http://www.openwall.com/lists/oss-security/2023/11/17/2
security@eset.com
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079
security@eset.com
https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b7188698447…
security@eset.com
https://github.com/roundcube/roundcubemail/commit/6ee6e7ae301e165e2b2cb703edf75…
security@eset.com
https://github.com/roundcube/roundcubemail/issues/9168
security@eset.com
https://github.com/roundcube/roundcubemail/releases/tag/1.4.15
security@eset.com
https://github.com/roundcube/roundcubemail/releases/tag/1.5.5
security@eset.com
https://github.com/roundcube/roundcubemail/releases/tag/1.6.4
security@eset.com
https://lists.debian.org/debian-lts-announce/2023/10/msg00035.html
security@eset.com
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
security@eset.com
https://roundcube.net/news/2023/10/16/security-update-1.6.4-released
security@eset.com
https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15
security@eset.com
https://www.debian.org/security/2023/dsa-5531
security@eset.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023…
134c704f-9b21-4f2e-91b3-4a467353bcc0
Share Post Share Share Share

Related Vulnerabilities

CVE-2024-57004

Roundcube

6.1