Bugzilla – Bug 1216429
VUL-0: CVE-2023-46267: roundcube: XSS via a text/html e-mail message containing an SVG image with a USE element
Last modified: 2024-05-29 11:16:02 UTC
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows XSS via a text/html e-mail message containing an SVG image with a USE element. This is related to wash_uri in rcube_washtml.php. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46267
This is an autogenerated message for OBS integration: This bug (1216429) was mentioned in https://build.opensuse.org/request/show/1120505 Factory / roundcubemail
openSUSE-SU-2023:0345-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1216429 CVE References: CVE-2023-5631 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): roundcubemail-1.6.4-bp155.2.6.1
Missing in Leap 15.6. Please process incoming submission or fix in Leap 15.6 in your chosen way. (bug 1225537)
As per bug 1225537 now also fixed in Leap 15.6, closing