CVE-2023-5631

Name: CVE-2023-5631
Creator: NVD / NIST
Published: 2023-10-18T15:15:08.727+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.4/10Actively ExploitedEPSS 70.88%

Last modified Jun 17, 2026

CVE-2023-5631 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.. CISA has confirmed active exploitation in the wild. EPSS estimates a 70.88% chance of exploitation in the next 30 days.

Description

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

Metrics

CVSS 3.1

5.4/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Probability

70.88%

99.3th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Nov 16, 2023.

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Roundcube	Webmail	< 1.4.15
Roundcube	Webmail	>= 1.5.0, < 1.5.5
Roundcube	Webmail	>= 1.6.0, < 1.6.4
Debian	Debian Linux	10.0
Debian	Debian Linux	11.0
Debian	Debian Linux	12.0
Fedoraproject	Fedora	39

References

http://www.openwall.com/lists/oss-security/2023/11/01/1Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/11/01/3Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/11/17/2Mailing List, Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079Mailing List, Patch
https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31dPatch
https://github.com/roundcube/roundcubemail/commit/6ee6e7ae301e165e2b2cb703edf75552e5376613Patch
https://github.com/roundcube/roundcubemail/issues/9168Exploit, Issue Tracking
https://github.com/roundcube/roundcubemail/releases/tag/1.4.15Release Notes
https://github.com/roundcube/roundcubemail/releases/tag/1.5.5Release Notes
https://github.com/roundcube/roundcubemail/releases/tag/1.6.4Release Notes
https://lists.debian.org/debian-lts-announce/2023/10/msg00035.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LK67Q46OIEGJCRQUBHKLH3IIJTBNGGX4/Mailing List
https://roundcube.net/news/2023/10/16/security-update-1.6.4-releasedRelease Notes
https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15Release Notes
https://www.debian.org/security/2023/dsa-5531Mailing List
http://www.openwall.com/lists/oss-security/2023/11/01/1Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/11/01/3Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/11/17/2Mailing List, Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079Mailing List, Patch
https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31dPatch
https://github.com/roundcube/roundcubemail/commit/6ee6e7ae301e165e2b2cb703edf75552e5376613Patch
https://github.com/roundcube/roundcubemail/issues/9168Exploit, Issue Tracking
https://github.com/roundcube/roundcubemail/releases/tag/1.4.15Release Notes
https://github.com/roundcube/roundcubemail/releases/tag/1.5.5Release Notes
https://github.com/roundcube/roundcubemail/releases/tag/1.6.4Release Notes
https://lists.debian.org/debian-lts-announce/2023/10/msg00035.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LK67Q46OIEGJCRQUBHKLH3IIJTBNGGX4/Mailing List
https://roundcube.net/news/2023/10/16/security-update-1.6.4-releasedRelease Notes
https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15Release Notes
https://www.debian.org/security/2023/dsa-5531Mailing List
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-5631US Government Resource

Timeline

Published: Oct 18, 2023
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2023-5631?

How severe is CVE-2023-5631?

CVE-2023-5631 has a CVSS score of 5.4/10 (MEDIUM severity). The EPSS model estimates a 70.88% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2023-5631?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-5631?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST