Stored XSS vulnerabilities affect Roundcube versions 1.6.3 and older (CVE-2023-5631, CVE-2023-43770). Roundcube is a webmail service offered within cPanel & WHM.
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:
CVE-2023-43770 – MEDIUM
CVE-2023-5631 – MEDIUM
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of rcube_string_replacer.php behavior (CVE-2023-43770).
To resolve and work around the issue on Linux systems, cPanel has issued new Roundcube RPMs. Server Owners are strongly urged to upgrade to the following cPanel & WHM versions:
Verify the new Roundcube RPMs were installed:
rpm -q --changelog cpanel-roundcubemail | grep -E 'CVE-2023-43770|CVE-2023-5631'
– Add patch for CVE-2023-43770
– Add patch for CVE-2023-5631
zgrep -E 'CVE-2023-43770|CVE-2023-5631' /usr/share/doc/cpanel-roundcubemail/changelog.Debian.gz
* Add patch for CVE-2023-43770
* Add patch for CVE-2023-5631
This notification covers CVE-2023-5631 and CVE-2023-43770.
CPANEL-43459 – CVE-2023-5631 Roundcube XSS vulnerability
Official Record CVE-2023-5631
Official Record CVE-2023-43770
Debian Bug Report for CVE-2023-5631
Debian Bug Report for CVE-2023-43770