CISA Adds Roundcube Webmail XSS Vulnerability to its Known Exploited Vulnerabilities Catalog

February 12, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a persistent Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail, tracked as CVE-2023-43770, in its Known Exploited Vulnerabilities catalog. Roundcube is a popular open-source web-based email client that supports standard email protocols. The vulnerability can lead to information disclosure through malicious link references in plain/text messages.

The vulnerability was discovered by Niraj Shivtarka and affects versions of Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. Roundcube addressed the vulnerability with the release of version 1.6.3.

As per Binding Operational Directive (BOD) 22-01, federal agencies are mandated to address this vulnerability by March 4, 2024, to secure their networks against potential attacks exploiting the flaws. It is also advised that private organizations review the Catalog and address any vulnerabilities in their infrastructure.

In a separate incident, the Russia-linked APT group Winter Vivern (also known as TA473) was found exploiting a different zero-day flaw in Roundcube webmail software. This is a different vulnerability than CVE-2020-35730, which the group had exploited in other attacks. ESET researchers reported this zero-day vulnerability to Roundcube, and the company patched the issue on October 14th, 2023. This vulnerability affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.