Vulnerabilities affect Roundcube versions 1.6.3 and older

October 27, 2023

Summary
Stored XSS vulnerabilities affect Roundcube versions 1.6.3 and older (CVE-2023-5631, CVE-2023-43770). Roundcube is a webmail service offered within cPanel & WHM.

Security Rating
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2023-43770 – MEDIUM
CVE-2023-5631 – MEDIUM

Description
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code (CVE-2023-5631).

Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of rcube_string_replacer.php behavior (CVE-2023-43770).

Solution
To resolve and work around the issue on Linux systems, cPanel has issued new Roundcube RPMs. Server Owners are strongly urged to upgrade to the following cPanel & WHM versions:

11.110.0.14
11.114.0.10
11.116.0.2

Verify the new Roundcube RPMs were installed:

RHEL/RPM-based Systems

rpm -q --changelog cpanel-roundcubemail | grep -E 'CVE-2023-43770|CVE-2023-5631'
– Add patch for CVE-2023-43770
– Add patch for CVE-2023-5631

Ubuntu/DEB-based Systems

zgrep -E 'CVE-2023-43770|CVE-2023-5631' /usr/share/doc/cpanel-roundcubemail/changelog.Debian.gz
* Add patch for CVE-2023-43770
* Add patch for CVE-2023-5631