CVE-2023-5631

Опубликовано: 18 окт. 2023

Источник: nvd

CVSS3: 6.1

CVSS3: 5.4

EPSS Критический

Описание

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker

to load arbitrary JavaScript code.

Ссылки

http://www.openwall.com/lists/oss-security/2023/11/01/1
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/11/01/3
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/11/17/2
Mailing List
Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079
Mailing List
Patch
https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d
Patch
https://github.com/roundcube/roundcubemail/commit/6ee6e7ae301e165e2b2cb703edf75552e5376613
Patch
https://github.com/roundcube/roundcubemail/issues/9168
Exploit
Issue Tracking
https://github.com/roundcube/roundcubemail/releases/tag/1.4.15
Release Notes
https://github.com/roundcube/roundcubemail/releases/tag/1.5.5
Release Notes
https://github.com/roundcube/roundcubemail/releases/tag/1.6.4
Release Notes
https://lists.debian.org/debian-lts-announce/2023/10/msg00035.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LK67Q46OIEGJCRQUBHKLH3IIJTBNGGX4/
Mailing List
https://roundcube.net/news/2023/10/16/security-update-1.6.4-released
Release Notes
https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15
Release Notes
https://www.debian.org/security/2023/dsa-5531
Mailing List
http://www.openwall.com/lists/oss-security/2023/11/01/1
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/11/01/3
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/11/17/2
Mailing List
Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079
Mailing List
Patch
https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d
Patch

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*

Версия до 1.4.15 (исключая)

cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*

Версия от 1.5.0 (включая) до 1.5.5 (исключая)

cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*

Версия от 1.6.0 (включая) до 1.6.4 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

EPSS

Процентиль: 100%

0.90987

Критический

6.1 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

CVE-2023-5631

CVSS3: 6.1

ubuntu

больше 1 года назад

CVE-2023-5631

CVSS3: 6.1

debian

больше 1 года назад

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 al ...

openSUSE-SU-2023:0345-1

suse-cvrf

больше 1 года назад

Security update for roundcubemail

ROS-20231025-01

CVSS3: 5.4

redos

больше 1 года назад

Уязвимость Roundcube

GHSA-qf8f-27cp-gw76

CVSS3: 6.1

github

больше 1 года назад

EPSS

Процентиль: 100%

0.90987

Критический

6.1 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79