CVE-2023-5631 Information

Description

Roundcube before 1.4.15 1.5.x before 1.5.5 and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker

to load arbitrary JavaScript code.

Reference

https://github.com/roundcube/roundcubemail/commit/6ee6e7ae301e165e2b2cb703edf75552e5376613 https://github.com/roundcube/roundcubemail/releases/tag/1.4.15 https://github.com/roundcube/roundcubemail/releases/tag/1.6.4 https://github.com/roundcube/roundcubemail/releases/tag/1.5.5