Roundcube webmail XSS vulnerability exploited by attackers (CVE-2023-43770)

CVE-2023-43770, a vulnerability in the Roundcube webmail software that has been fixed in September 2023, is being exploited by attackers in the wild, CISA has warned by adding the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

About CVE-2023-43770

Roundcube is an open-source, browser-based IMAP client with an application-like user interface.

CVE-2023-43770 is a vulnerability that allows attackers to mount cross-site scripting (XSS) attacks through specially crafted links in plain text email messages.

The vulnerability could lead to information disclosure, and affects Roundcube versions 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3.

Proof-of-concept exploit code for CVE-2023-43770 has been available online for many months.

Roundcube vulnerabilities often exploited for cyberespionage

In June 2023, Recorded Future and Ukraine’s CERT uncovered a spear-phishing campaign targeting several Ukrainian state organization with emails exploiting a XSS flaw in Roundcube (CVE-2020-35730) and CVE-2021-44026, an SQL injection flaw, to exfiltrate information from the Roundcube database.

In October 2023, ESET reported on another XSS flaw in Roundcube getting exploited as a zero-day by the cyberespionage Winter Vivern APT to targeting governmental entities across Europe.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA noted.

Its KEV catalog lists vulnerabilities that US federal civilian executive branch (FCEB) agencies have to remediate within a specified time frame, but it’s also a helpful tool for other organizations.

Roundcube is actively developed software, and its maintainers are regularly patching vulnerabilities found in it. Organizations using it are advised to keep an eye out for security updates and implement them quickly.