• No products in the cart.

DNS Email Hijacking Resolution Update from Roundcube, Cpanel and WHM.

Recently, I posted about a DNS email hijacking breach incident affecting iam@ronoliverclarin.com in the last 24 hours. Upon checking my emails, our mail server provider has informed us about a security concern related to stored XSS vulnerabilities impacting Roundcube versions 1.6.3 and earlier (CVE-2023-5631, CVE-2023-43770). Roundcube is a webmail service integrated into cPanel & WHM.

Security Assessment The National Vulnerability Database (NIST) has assigned the following severity ratings to these CVEs:

CVE-2023-43770 – MEDIUM CVE-2023-5631 – MEDIUM

Vulnerability Description In Roundcube versions prior to 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4, a stored XSS vulnerability exists when processing HTML e-mail messages containing a manipulated SVG document due to the behavior of rcube_washtml.php. This vulnerability could potentially enable a remote attacker to execute arbitrary JavaScript code (CVE-2023-5631).

Additionally, in Roundcube versions prior to 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3, an XSS vulnerability is present in text/plain e-mail messages with specially crafted links, attributed to the behavior of rcube_string_replacer.php (CVE-2023-43770).

Recommended Solution To mitigate and address this issue on Linux systems, cPanel has released new Roundcube RPMs. As a server owner, we’ve already upgraded to the latest version. We strongly advise everyone to upgrade to the following cPanel & WHM versions:

October 28, 2023

0 responses on "DNS Email Hijacking Resolution Update from Roundcube, Cpanel and WHM."

Leave a Message

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Providing services for Local and International Companies in the fields of Web Development, Online Marketing, and Graphic Design, while also offering mentorship to entrepreneurs and students.

Verify Your Certificate

2023 © Ron Oliver Clarin. All rights reserved.