CVE-2023-5631 - How a Simple SVG Bug Let Hackers Run JavaScript in Your Roundcube Email

If you use or manage a mail server, you probably know Roundcube. It’s a popular open-source webmail client used by businesses, universities, and enthusiasts worldwide. In late 2023, a critical security bug was discovered in Roundcube. This bug — CVE-2023-5631 — let attackers send emails that could run malicious JavaScript right in your browser, just by opening their messages.

In this article, I’ll explain how this bug works, show some code snippets, link you to the official references, and provide details about proof-of-concept exploitation — all in straightforward, simple language.

What is CVE-2023-5631?

CVE-2023-5631 is a stored cross-site scripting (XSS) vulnerability in Roundcube’s email view. Specifically, if you’re using:

Roundcube version 1.6.x before 1.6.4

…then you’re at risk. The bug exists in how Roundcube’s HTML sanitizer (rcube_washtml.php) handles SVG (Scalable Vector Graphics) images embedded in emails.

What can an attacker do?

If someone sends you a crafted email with a malicious SVG, their JavaScript runs as soon as you open it in Roundcube’s webmail view! This means they could:

The Technical Root Cause

Roundcube uses a library file called rcube_washtml.php to remove dangerous HTML from emails. But SVG is a tricky format: it’s an image, but it can contain scripts and event handlers.

Older versions of that file didn't sanitize all possible ways that JavaScript could be hidden in SVG files.

The main issue:
Attackers could embed scripts in places like SVG’s <script> tag or even inside harmless-looking image tags using special attributes.

Exploiting the Vulnerability: A Simple SVG Payload

Here’s a minimal example an attacker could use. This code snippet could be embedded in an HTML email, as an inline SVG:

<svg xmlns="http://www.w3.org/200/svg">;
  <script type="text/javascript">
    alert('XSS in your inbox!');
    // More malicious code could go here
  </script>
</svg>

Or, a sneakier attacker might use an SVG <animate> tag with JavaScript as its value, exploiting less obvious parts of the SVG parser.

Trickier example

<svg xmlns="http://www.w3.org/200/svg"
     onload="alert('XSS via SVG onload!')">
</svg>

When an unsuspecting user read the email in a vulnerable Roundcube version, the script would execute immediately.

Official Roundcube advisory:

https://github.com/roundcube/roundcubemail/releases/tag/1.6.4

CVE Details:

https://nvd.nist.gov/vuln/detail/CVE-2023-5631

Source fix commit:

https://github.com/roundcube/roundcubemail/pull/9289

Patch Summary:
The fix tightens the HTML purification process, properly stripping scripts and dangerous inline event handlers from SVG sections in emails.

Proof of Concept: Try It Yourself (In a Safe Test Environment!)

*Warning: Only do this on a disposable Roundcube test install!*

Conclusion

CVE-2023-5631 is a great example of how a small mistake in HTML filtering can have big consequences on web apps like Roundcube. If you operate Roundcube webmail, upgrade as soon as possible. Never trust user-supplied HTML — especially SVG!

Learn More

- Roundcube Release Notes
- CVE Timeline and Exploit tracker


Got questions or want more examples? Comment below!

Timeline

Published on: 10/18/2023 15:15:08 UTC
Last modified on: 11/17/2023 15:15:12 UTC