Security News > 2024 > February > Roundcube webmail XSS vulnerability exploited by attackers (CVE-2023-43770)
CVE-2023-43770, a vulnerability in the Roundcube webmail software that has been fixed in September 2023, is being exploited by attackers in the wild, CISA has warned by adding the vulnerability to its Known Exploited Vulnerabilities catalog.
CVE-2023-43770 is a vulnerability that allows attackers to mount cross-site scripting attacks through specially crafted links in plain text email messages.
The vulnerability could lead to information disclosure, and affects Roundcube versions 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3.
Roundcube vulnerabilities often exploited for cyberespionage.
In June 2023, Recorded Future and Ukraine's CERT uncovered a spear-phishing campaign targeting several Ukrainian state organization with emails exploiting a XSS flaw in Roundcube and CVE-2021-44026, an SQL injection flaw, to exfiltrate information from the Roundcube database.
In October 2023, ESET reported on another XSS flaw in Roundcube getting exploited as a zero-day by the cyberespionage Winter Vivern APT to targeting governmental entities across Europe.
News URL
https://www.helpnetsecurity.com/2024/02/13/cve-2023-43770/
Related news
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials (source)
- Roundcube XSS flaw exploited to steal credentials, email (CVE-2024-37383) (source)
- CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094) (source)
- Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System (source)
- Google patches actively exploited Android vulnerability (CVE-2024-43093) (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- Oracle patches exploited Agile PLM vulnerability (CVE-2024-21287) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-22 | CVE-2023-43770 | Cross-site Scripting vulnerability in multiple products Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. | 6.1 |
| 2021-11-19 | CVE-2021-44026 | SQL Injection vulnerability in multiple products Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. | 9.8 |