Threat Intelligence / CVE / CVE-2023-5631

CVE-2023-5631

CISA KEV

CVSS 6.1 (MEDIUM) · EPSS 83.4% · Published 2023-10-18

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weaknesses (CWE)

CWE-79

Threats tracking this CVE

RoundCube Webmail Active Exploitation — CVE-2025-49113 Deserialization RCE (CVSS 9.9) + CVE-2025-68461 XSS via SVG Animate Tag (CISA KEV) — CRITICAL

References

http://www.openwall.com/lists/oss-security/2023/11/01/1
http://www.openwall.com/lists/oss-security/2023/11/01/3
http://www.openwall.com/lists/oss-security/2023/11/17/2
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079
https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d
https://github.com/roundcube/roundcubemail/commit/6ee6e7ae301e165e2b2cb703edf75552e5376613
https://github.com/roundcube/roundcubemail/issues/9168
https://github.com/roundcube/roundcubemail/releases/tag/1.4.15
https://github.com/roundcube/roundcubemail/releases/tag/1.5.5
https://github.com/roundcube/roundcubemail/releases/tag/1.6.4

Full detection coverage & IOCs for threats exploiting CVE-2023-5631 are available via the Threadlinqs MCP server (Purple tier). View plans →

Markdown version · Threadlinqs Intelligence