Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2023-5631

Published: 18 October 2023

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

Priority

Medium

Cvss 3 Severity Score

5.4

Score breakdown

Status

Package Release Status
roundcube
Launchpad, Ubuntu, Debian
bionic
Released (1.3.6+dfsg.1-1ubuntu0.1~esm4)
Available with Ubuntu Pro
focal
Released (1.4.3+dfsg.1-1ubuntu0.1~esm4)
Available with Ubuntu Pro
jammy
Released (1.5.0+dfsg.1-2ubuntu0.1~esm3)
Available with Ubuntu Pro
lunar Ignored
(end of life, was needs-triage)
mantic
Released (1.6.2+dfsg-1ubuntu0.2)
noble Not vulnerable
(1.6.6+dfsg-2)
trusty Ignored
(end of standard support)
upstream
Released (1.6.4+dfsg-1)
xenial Not vulnerable
(code not present)
Patches:
upstream: https://github.com/roundcube/roundcubemail/commit/6ee6e7ae301e165e2b2cb703edf75552e5376613
upstream: https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d

Severity score breakdown

Parameter Value
Base score 5.4
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Scope Changed
Confidentiality Low
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N