Security News > 2024 > February > Roundcube webmail XSS vulnerability exploited by attackers (CVE-2023-43770)

Roundcube webmail XSS vulnerability exploited by attackers (CVE-2023-43770)
2024-02-13 09:36

CVE-2023-43770, a vulnerability in the Roundcube webmail software that has been fixed in September 2023, is being exploited by attackers in the wild, CISA has warned by adding the vulnerability to its Known Exploited Vulnerabilities catalog.

CVE-2023-43770 is a vulnerability that allows attackers to mount cross-site scripting attacks through specially crafted links in plain text email messages.

The vulnerability could lead to information disclosure, and affects Roundcube versions 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3.

Roundcube vulnerabilities often exploited for cyberespionage.

In June 2023, Recorded Future and Ukraine's CERT uncovered a spear-phishing campaign targeting several Ukrainian state organization with emails exploiting a XSS flaw in Roundcube and CVE-2021-44026, an SQL injection flaw, to exfiltrate information from the Roundcube database.

In October 2023, ESET reported on another XSS flaw in Roundcube getting exploited as a zero-day by the cyberespionage Winter Vivern APT to targeting governmental entities across Europe.


News URL

https://www.helpnetsecurity.com/2024/02/13/cve-2023-43770/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-09-22 CVE-2023-43770 Cross-site Scripting vulnerability in multiple products
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
network
low complexity
roundcube debian CWE-79
6.1
2021-11-19 CVE-2021-44026 SQL Injection vulnerability in multiple products
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
network
low complexity
roundcube fedoraproject debian CWE-89
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Roundcube 3 0 27 12 5 44