Recently, I posted about a DNS email hijacking breach incident affecting firstname.lastname@example.org in the last 24 hours. Upon checking my emails, our mail server provider has informed us about a security concern related to stored XSS vulnerabilities impacting Roundcube versions 1.6.3 and earlier (CVE-2023-5631, CVE-2023-43770). Roundcube is a webmail service integrated into cPanel & WHM.
Security Assessment The National Vulnerability Database (NIST) has assigned the following severity ratings to these CVEs:
CVE-2023-43770 – MEDIUM CVE-2023-5631 – MEDIUM
Additionally, in Roundcube versions prior to 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3, an XSS vulnerability is present in text/plain e-mail messages with specially crafted links, attributed to the behavior of rcube_string_replacer.php (CVE-2023-43770).
Recommended Solution To mitigate and address this issue on Linux systems, cPanel has released new Roundcube RPMs. As a server owner, we’ve already upgraded to the latest version. We strongly advise everyone to upgrade to the following cPanel & WHM versions: