The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a persistent Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail, tracked as CVE-2023-43770, in its Known Exploited Vulnerabilities catalog. Roundcube is a popular open-source web-based email client that supports standard email protocols. The vulnerability can lead to information disclosure through malicious link references in plain/text messages.
The vulnerability was discovered by Niraj Shivtarka and affects versions of Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. Roundcube addressed the vulnerability with the release of version 1.6.3.
As per Binding Operational Directive (BOD) 22-01, federal agencies are mandated to address this vulnerability by March 4, 2024, to secure their networks against potential attacks exploiting the flaws. It is also advised that private organizations review the Catalog and address any vulnerabilities in their infrastructure.
In a separate incident, the Russia-linked APT group Winter Vivern (also known as TA473) was found exploiting a different zero-day flaw in Roundcube webmail software. This is a different vulnerability than CVE-2020-35730, which the group had exploited in other attacks. ESET researchers reported this zero-day vulnerability to Roundcube, and the company patched the issue on October 14th, 2023. This vulnerability affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.