Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability - 20231027001

Overview

The WA SOC has observed vulnerability in Roundcube (a web-based IMAP email client) allowing stored Cross Site Scripting (XSS) via an HTML e-mail message with a crafted Scalable Vector Graphics (SVG) document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

What is the vulnerability?

CVE-2023-5631 - CVSS v3 Base Score: 5.4

What is vulnerable?

The vulnerability affects the following Roundcube products:

• Webmail versions before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of two weeks (refer Patch Management):

• Roundcube Security Update 1.6.4
• Roundcuber Security Update 1.5.5 and 1.4.15

Additional References

• CISA known Expoited Vulnerabilities