Weitere Veröffentlichungen

In unserem Labor schreiben wir regelmäßig in Form von Blogbeiträgen über identifizierte Sicherheitslücken, welche nach dem Responsible Disclosure Verfahren veröffentlicht werden.

Veröffentlichung (CVE-2023-47272)

RoundCube 1.6.4 and 1.5.5 - Cross Site Scripting (XSS)

01.01.2024 - Rene Rehme

Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).

Responsible Disclosure

2024 - The vulnerability has been identified.

16. Okt. 2023 - The vulnerability was reported to RoundCube via E-Mail.

17. Okt. 2023 - The security vulnerability has been confirmed.

04. Nov. 2023 - A fix is in the works, a new version is planned for the upcoming weekend.
05. Nov. 2023 - Security updates 1.6.5 and 1.5.6 released

11. Jun. 2024 - Blog article published.


We are not disclosing detailed information about the vulnerability at this time to prevent active exploitation. It should be noted that certain prerequisites must be met for the vulnerability to be exploited.


In a proof of concept, we have written an exploit that shows which threats (regardless of the CVSS base score) this vulnerability harbours.

Proof of Concept (Exploit)


CWE-20 Improper Input Validation


External Information