Security News > 2024 > February > Roundcube webmail XSS vulnerability exploited by attackers (CVE-2023-43770)
CVE-2023-43770, a vulnerability in the Roundcube webmail software that has been fixed in September 2023, is being exploited by attackers in the wild, CISA has warned by adding the vulnerability to its Known Exploited Vulnerabilities catalog.
CVE-2023-43770 is a vulnerability that allows attackers to mount cross-site scripting attacks through specially crafted links in plain text email messages.
The vulnerability could lead to information disclosure, and affects Roundcube versions 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3.
Roundcube vulnerabilities often exploited for cyberespionage.
In June 2023, Recorded Future and Ukraine's CERT uncovered a spear-phishing campaign targeting several Ukrainian state organization with emails exploiting a XSS flaw in Roundcube and CVE-2021-44026, an SQL injection flaw, to exfiltrate information from the Roundcube database.
In October 2023, ESET reported on another XSS flaw in Roundcube getting exploited as a zero-day by the cyberespionage Winter Vivern APT to targeting governmental entities across Europe.
News URL
https://www.helpnetsecurity.com/2024/02/13/cve-2023-43770/
Related news
- Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788) (source)
- PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153) (source)
- Ivanti fixes RCE vulnerability reported by NATO cybersecurity researchers (CVE-2023-41724) (source)
- AI framework vulnerability is being used to compromise enterprise servers (CVE-2023-48022) (source)
- PuTTY vulnerability can be exploited to recover private keys (CVE-2024-31497) (source)
- PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-22 | CVE-2023-43770 | Cross-site Scripting vulnerability in multiple products Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. | 6.1 |
| 2021-11-19 | CVE-2021-44026 | SQL Injection vulnerability in multiple products Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. | 9.8 |