Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 916297

Summary: <mail-client/roundcube-1.6.4: XSS vulnerability via SVG (CVE-2023-5631)
Product: Gentoo Security Reporter: peteru <bugs.gentoo.org>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description peteru 2023-10-26 11:24:21 UTC 
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. 

https://nvd.nist.gov/vuln/detail/CVE-2023-5631

This CVE does not seem to be reported by glsa-check on a system with mail-client/roundcube-1.6.3 installed.

mail-client/roundcube-1.6.4 is still showing as ~1.6.4
Comment 1 Hans de Graaff gentoo-dev Security 2023-10-26 12:24:57 UTC 

*** This bug has been marked as a duplicate of bug 916274 ***