PRIOn Logo

Roundcube’s CVE-2023-5631 Vulnerability

A Target for Threat Actor 'Winter Vivern'

Roundcube versions prior to 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 face a stored XSS vulnerability. It results from inadequate sanitization of SVG files in HTML messages, enabling malicious actors to inject JavaScript. CVE-2023-5631 was exploited by "Winter Vivern" on October 11, 2023, but a patch was released on October 16, 2023. The vulnerability holds an 'Immediate' priority status with a score of 95 according to PRIOn Decision Engine.

Cover Image for Roundcube’s CVE-2023-5631 Vulnerability

Roundcube, in versions before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4, is grappling with a stored Cross-Site Scripting (XSS) vulnerability. This vulnerability arises from the behavior of the program/lib/Roundcube/rcube_washtml.php, a component within Roundcube.

Due to inadequate sanitization of SVG files within HTML messages by the Roundcube server, malicious actors were able to exploit this vulnerability by sending specially crafted email messages that contained a malicious SVG document, ultimately resulting in JavaScript injection.

As per ESET’s findings, CVE-2023-5631 was maliciously exploited by “Winter Vivern” threat actor on October 11 2023. A patch was developed and released on October 16 2023.

As per PRIOn Decision Engine, the CVE-2023-5631 vulnerability holds an "Immediate" priority status with a score of 95.

Basic Analysis

  • Vulnerability Type: Cross Site Scripting

  • CVSSv2: CVSS:2.0/AV:N/AC:M/AU:N/C:N/I:P/A:N (4.3)

  • CVSSv3: CVSS:2.0/AV:N/AC:M/AU:N/C:N/I:P/A:N (5.4)

  • CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

  • CWE Top 25: Yes

 Threat Context

  • Active Exploitation: Yes

  • Exploits: Yes (0day)

  • MITRE ATT&CK: T1566 (Phishing), T1190 (Exploit Public-facing Application), T1189 (Drive-by Compromise), T1059 (Command And Scripting Interpreter)

  • MITRE CAPEC: CAPEC-592 (Stored XSS)

  • Cyber Threat Intelligence: Yes

    • Threat Actor: "Winter Vivern"

    • Motivation: Espionage

    • Target Countries: Central Asia, Europe

    • Target Industries: Defense, Government

Cyber Security Framework Impact

  • OWASP TOP 10: A03:2021 (Injection)

  • WASC: WASC-8 (Cross Site Scripting)

  • OWASP ASVS: V5.3.3, V14.4.3 V14.2.1

  • DISA STIG: APSC-DV-002630, APSC-DV-002490

Compliance Impact

  • PCI DSS: 6.5.7 (Cross Site Scripting)

  • NIST: SI-10 (Information Input Validation)

  • ISO 27001: A.14.2.5, A.14.1.2 , A.12.6.1

  • HIPAA: 164.306(a)(2), 164.306(a)(1)


Administrators are strongly recommended to update to the latest versions.

Patches are available:

More from PRIOn

A Year in Review 2022

PRIOn Team
PRIOn Team
Cover Image for undefined