CVE-2023-5631

What is Roundcube Webmail?

Roundcube is one of the most widely deployed open-source webmail platforms, used by governments, academic institutions, ISPs, and organizations globally as a browser-based interface to IMAP email accounts. It renders incoming HTML emails in the browser, applying its own sanitization layer to prevent malicious email content from executing in the user's browser context. Persistent (stored) cross-site scripting vulnerabilities in webmail are particularly high-impact: a specially crafted malicious email causes arbitrary JavaScript to execute in the victim's browser session when the email is viewed — without any user interaction beyond reading the message. The S:C (scope changed) CVSS metric reflects that the XSS payload executes in the context of the Roundcube web application session, not merely the email content.

Overview

CVE-2023-5631 is a persistent cross-site scripting (stored XSS) vulnerability (CWE-79) in Roundcube Webmail. An unauthenticated attacker can send a specially crafted email that, when viewed by a Roundcube user, causes arbitrary JavaScript to execute in the victim's browser. The JavaScript runs within the Roundcube session — enabling theft of session tokens, contacts, email contents, and other data accessible to the logged-in user.

CVE-2023-5631 was exploited by Winter Vivern (also tracked as TA473 and UAC-0114) — a Russian-linked advanced persistent threat (APT) group targeting European government and NATO organizations. ESET researchers documented Winter Vivern delivering crafted emails to Roundcube-using government mail servers that exfiltrated email contents when viewed. Roundcube released patches in versions 1.6.4, 1.5.5, and 1.4.15 on October 16, 2023. CISA added CVE-2023-5631 to the KEV catalog on October 26, 2023.

Affected Versions

Technical Details

Persistent (stored) XSS (CWE-79) occurs when user-supplied data — in this case, the content of a malicious HTML email — is stored by the application and later rendered in a browser context without adequate sanitization that prevents JavaScript execution. Roundcube parses incoming HTML email bodies and applies a sanitization pass intended to strip dangerous HTML and JavaScript. CVE-2023-5631 is a bypass of this sanitization: a carefully crafted HTML construct in the email body evades Roundcube's filter and reaches the browser as executable JavaScript.

The attack flow:

1. Craft a malicious email — construct an HTML email with a payload that bypasses Roundcube's sanitization (e.g., using unusual HTML encoding, CSS-based injection vectors, or event handler patterns the sanitizer fails to strip)
2. Deliver to a Roundcube user — send the email to the target's address; no user interaction is needed beyond the victim viewing the email in Roundcube
3. Execute JavaScript in the victim's session — when the victim opens the email, the unsanitized payload executes as JavaScript in the Roundcube origin
4. Exfiltrate session data — the attacker-controlled JavaScript reads the victim's email contents, contacts, or session token and sends them to an attacker-controlled server

Winter Vivern's documented technique involved the JavaScript exfiltrating full email content from the victim's inbox and forwarding it to the threat actor's infrastructure — providing persistent intelligence collection access without requiring any additional exploitation step.

Discovery

ESET researchers (Matthieu Faou) discovered Winter Vivern's exploitation of CVE-2023-5631 and reported it to Roundcube, which released patches on October 16, 2023. ESET's research documented the exploitation in the context of Winter Vivern's broader campaign targeting European government ministries, military organizations, and NATO-affiliated entities using Roundcube for email.

Exploitation Context

Winter Vivern (TA473/UAC-0114) is a threat actor that has persistently targeted European government and diplomatic organizations since at least 2021. Their operational pattern consistently focuses on webmail platforms — Roundcube, Zimbra — because compromise of a government official's email account provides high-value intelligence at low technical cost compared to endpoint compromise. The group previously exploited Zimbra CVE-2022-27926 in a similar campaign pattern.

The October 2023 exploitation followed Roundcube's disclosure pattern: the CVE was patched on October 16, published October 18, and KEV-added October 26 — a rapid timeline reflecting Winter Vivern's either pre-discovery of the vulnerability or rapid weaponization after patch analysis.

Remediation

1. Upgrade Roundcube to 1.6.4, 1.5.5, or 1.4.15 — apply the patch from Roundcube's October 16, 2023 security release.
2. Enable Roundcube automatic updates — if your deployment supports it, enable update notifications so security releases are applied promptly.
3. Review Roundcube email logs for evidence of malicious emails or unusual JavaScript execution patterns that may indicate prior exploitation.
4. Implement Content Security Policy (CSP) headers — a strict CSP on the Roundcube application reduces the impact of XSS by limiting where JavaScript can make outbound connections.
5. Monitor for outbound connections from Roundcube — Winter Vivern's exfiltration involved HTTP requests from the victim's browser to external domains; network-level monitoring for unusual web traffic from webmail users can detect active exploitation.