Roundcube Stored XSS (CVE-2023-5631, CVE-2023-43770)

Stored XSS vulnerabilities affect Roundcube versions 1.6.3 and older (CVE-2023-5631, CVE-2023-43770). Roundcube is a webmail service offered within cPanel & WHM.

Security Rating
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2023-43770 – MEDIUM
CVE-2023-5631 – MEDIUM

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code (CVE-2023-5631).

Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of rcube_string_replacer.php behavior (CVE-2023-43770).

To resolve and work around the issue on Linux systems, cPanel has issued new Roundcube RPMs. Server Owners are strongly urged to upgrade to the following cPanel & WHM versions:

Verify the new Roundcube RPMs were installed:

RHEL/RPM-based Systems

rpm -q --changelog cpanel-roundcubemail | grep -E 'CVE-2023-43770|CVE-2023-5631'
– Add patch for CVE-2023-43770
– Add patch for CVE-2023-5631

Ubuntu/DEB-based Systems

zgrep -E 'CVE-2023-43770|CVE-2023-5631' /usr/share/doc/cpanel-roundcubemail/changelog.Debian.gz
* Add patch for CVE-2023-43770
* Add patch for CVE-2023-5631

This notification covers CVE-2023-5631 and CVE-2023-43770.

CPANEL-43459 – CVE-2023-5631 Roundcube XSS vulnerability
Official Record CVE-2023-5631
Official Record CVE-2023-43770
Debian Bug Report for CVE-2023-5631
Debian Bug Report for CVE-2023-43770