Roundcube, in versions before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4, is grappling with a stored Cross-Site Scripting (XSS) vulnerability. This vulnerability arises from the behavior of the program/lib/Roundcube/rcube_washtml.php, a component within Roundcube.
Due to inadequate sanitization of SVG files within HTML messages by the Roundcube server, malicious actors were able to exploit this vulnerability by sending specially crafted email messages that contained a malicious SVG document, ultimately resulting in JavaScript injection.
As per ESET’s findings, CVE-2023-5631 was maliciously exploited by “Winter Vivern” threat actor on October 11 2023. A patch was developed and released on October 16 2023.
As per PRIOn Decision Engine, the CVE-2023-5631 vulnerability holds an "Immediate" priority status with a score of 95.
Basic Analysis
Vulnerability Type: Cross Site Scripting
CVSSv2: CVSS:2.0/AV:N/AC:M/AU:N/C:N/I:P/A:N (4.3)
CVSSv3: CVSS:2.0/AV:N/AC:M/AU:N/C:N/I:P/A:N (5.4)
CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE Top 25: Yes
Threat Context
Active Exploitation: Yes
Exploits: Yes (0day)
MITRE ATT&CK: T1566 (Phishing), T1190 (Exploit Public-facing Application), T1189 (Drive-by Compromise), T1059 (Command And Scripting Interpreter)
MITRE CAPEC: CAPEC-592 (Stored XSS)
Cyber Threat Intelligence: Yes
Threat Actor: "Winter Vivern"
Motivation: Espionage
Target Countries: Central Asia, Europe
Target Industries: Defense, Government
Cyber Security Framework Impact
OWASP TOP 10: A03:2021 (Injection)
WASC: WASC-8 (Cross Site Scripting)
OWASP ASVS: V5.3.3, V14.4.3 V14.2.1
DISA STIG: APSC-DV-002630, APSC-DV-002490
Compliance Impact
PCI DSS: 6.5.7 (Cross Site Scripting)
NIST: SI-10 (Information Input Validation)
ISO 27001: A.14.2.5, A.14.1.2 , A.12.6.1
HIPAA: 164.306(a)(2), 164.306(a)(1)
Patches
Administrators are strongly recommended to update to the latest versions.
Patches are available:
Security updates 1.5.5 and 1.4.15 released:
https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15
Security update 1.6.4 released:
https://roundcube.net/news/2023/10/16/security-update-1.6.4-released