**CRITICAL RISK** CVE-2023-5631 Roundcube Webmail < v1.6.4 – Stored (Persistent) Cross-Site Scripting (‘XSS’) via JavaScript Injection in SVG Tags

Background & Context

Roundcube is a web-based IMAP email client. Roundcube’s most prominent feature is the pervasive use of Ajax technology. Roundcube is written in PHP and can be employed in conjunction with a LAMP stack, or any other operating systems that support PHP are supported as well. Roundcube Webmail is designed to run on standard web servers such as Apache, LiteSpeed, Nginx, Lighttpd, Hiawatha or Cherokee in conjunction with a relational database engine. Supported databases are MySQL, PostgreSQL and SQLite. The user interface is rendered in XHTML and CSS. Roundcube incorporates jQuery as part of its distribution, as well as other libraries such as GoogieSpell and TinyMCE.


Vulnerability Summary

Roundcube Webmail allows stored XSS via an HTML e-mail message with a crafted SVG document because of failure to properly sanitise user-provided input which is then returned to the user via the file program/lib/Roundcube/rcube_washtml.php. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This could allow a remote attacker to load arbitrary JavaScript code.


Impact If Exploited

Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim’s machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site. Phishing attacks could be used to emulate trusted web sites and trick the victim into entering a password, allowing the attacker to compromise the victim’s account on that web site. Finally, the script could exploit a vulnerability in the web browser itself possibly taking over the victim’s machine, sometimes referred to as “drive-by hacking.”

NOTE: This vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild as of 2023-10-26. Prioritisation should therefore be given to remediation in any impacted environment. The exploit has been confirmed possible in both Google Chrome and Mozilla Firefox. The Winter Vivern APT group has been exploiting a zero-day vulnerability (CVE-2023-5631) in Roundcube webmail servers to spy on email communications of European governmental entities and a think tank, according to ESET researchers.


Affected Product Versions

Application versions:

  • Roundcube before 1.4.15,
  • Roundcube 1.5.x before 1.5.5, and
  • Roundcube 1.6.x before 1.6.4

OS Distributions:

  • For Debian 10 buster, Roundcube before 1.3.17+dfsg.1-1~deb10u4.


Indicators of Compromise

The hackers sent out to their targets an email impersonating the “Microsoft Accounts Team”, carrying an SVG tag containing a base64-encoded payload – the exploit script. In this campaign, the emails were sent from team.managment@outlook.com and had the subject “Get started in your Outlook”. The SVG tag contains a base64-encoded payload. When triggered, the script exfiltrates email messages to the C&C server by making HTTP requests to https://recsecas.com/controlserver/saveMessage.



Official Fix & Remediation Guidance

Customers are advised to upgrade to the latest version of Roundcube. For product updates, use the built-in package manager on your OS, or else download directly via https://roundcube.net/download/.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

Temporary Mitigation & Workarounds

(The vendor has not advised of any alternative temporary mitigation or workarounds)

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.


Category: Cross-Site Scripting



AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.


About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses

Get in touch

Please enable JavaScript in your browser to complete this form.