Re: CVE-2023-5631: XSS vulnerability in Roundcube webmail

[Kapetanakis Giannis <bilias () edu physics uoc gr>]

Versions up to 1.6.3 - not 1.6.4 - are vulnerable.

https://www.cve.org/CVERecord?id=CVE-2023-5631

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a 
crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to 
load arbitrary JavaScript code.

G

On 31/10/2023 23:26, Valtteri Vuorikoski wrote:
> Not associated with the project or ESET, but didn't see anything here about
> this yet.
>
> Roundcube is an open-source webmail client. Versions up to 1.6.4 are
> vulnerable (including the 1.4.x and 1.5.x series) to an XSS exploit
> caused by an issue in the sanitization of SVG image elements in HTML
> emails. ESET describes CVE-2023-5631 as follows in their press release
> at 
> <https://www.eset.com/us/about/newsroom/press-releases/eset-research-winter-vivern-attacks-roundcube-webmail-servers-of-governments-in-europe-through-zero-1/>:
>
>   By sending a specially crafted email message, attackers are able to
>   load arbitrary JavaScript code in the context of the Roundcube user’s
>   browser window. No manual interaction other than viewing the message
>   in a web browser is required. The final JavaScript payload can
>   exfiltrate email messages to the command and control server of the
>   group.
>
> The Roundcube project has released new versions for each of the abovementioned
> release series. The official release notification is at
> <https://roundcube.net/news/2023/10/16/security-update-1.6.4-released>.
>
> According to ESET, the vulnerability is being actively exploited to
> target "governmental entities in Europe".
>
>  -Valtteri