Knowledge Base

CVE-2023-5631 vulnerability in Roundcube

Impact

CVE-2023-5631 vulnerability was discovered in Roundcube.

Situation

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

Call to action

The fix is expected in Plesk Obsidian 18.0.56 #2. Planned release date is October, 31.

Additionally, 18.0.56 #4 includes even newer Roundcube version 1.6.5.

Update Plesk to the latest version as soon as the fix is released.

Related Posts

Plesk Obsidian 18.0.62 is now available

Plesk Obsidian 18.0.61 Release

Ruby on Rails vs PHP: Which one’s right for your needs?

Knowledge Base

Websites on Plesk server are slow or show error 500 or PHP mail cannot be sent: ap_pass_brigade failed

How to customize the mail notification template

Mail delivery does not work: do not list domain in BOTH mydestination and virtual_mailbox_domains

Unable to issue a Let’s Encrypt certificate for a domain or its mail in Plesk: the DNS challenge used another IP address

Hosting Wiki