Security News > 2024 > February > Roundcube webmail XSS vulnerability exploited by attackers (CVE-2023-43770)
CVE-2023-43770, a vulnerability in the Roundcube webmail software that has been fixed in September 2023, is being exploited by attackers in the wild, CISA has warned by adding the vulnerability to its Known Exploited Vulnerabilities catalog.
CVE-2023-43770 is a vulnerability that allows attackers to mount cross-site scripting attacks through specially crafted links in plain text email messages.
The vulnerability could lead to information disclosure, and affects Roundcube versions 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3.
Roundcube vulnerabilities often exploited for cyberespionage.
In June 2023, Recorded Future and Ukraine's CERT uncovered a spear-phishing campaign targeting several Ukrainian state organization with emails exploiting a XSS flaw in Roundcube and CVE-2021-44026, an SQL injection flaw, to exfiltrate information from the Roundcube database.
In October 2023, ESET reported on another XSS flaw in Roundcube getting exploited as a zero-day by the cyberespionage Winter Vivern APT to targeting governmental entities across Europe.
News URL
https://www.helpnetsecurity.com/2024/02/13/cve-2023-43770/
Related news
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356) (source)
- Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks (source)
- Microsoft Uncovers macOS Vulnerability CVE-2024-44243 Allowing Rootkit Installation (source)
- New UEFI Secure Boot bypass vulnerability discovered (CVE-2024-7344) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-22 | CVE-2023-43770 | Cross-site Scripting vulnerability in multiple products Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. | 6.1 |
| 2021-11-19 | CVE-2021-44026 | SQL Injection vulnerability in multiple products Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. | 9.8 |