CISA adds Roundcube Webmail CVE-2023-43770 to its KEV Catalog
Share this:
The US CISA has alarmed on a significant ‘actively exploited’ flaw in Roundcube Webmail. This vulnerability could permit attackers to execute malicious code directly in your webmail client, presenting a substantial risk to both private and government organizations.
The vulnerability tracked as CVE-2023-43770, with a CVSS score of 6.1, indicative of its moderate severity yet significant impact. This vulnerability allows for Cross-Site Scripting (XSS) attacks through seemingly innocuous text/plain email messages containing crafted links. The culprit behind this vulnerability is a specific behavior in the program/lib/Roundcube/rcube_string_replacer.php file. Versions of Roundcube before 1.4.14, as well as 1.5.x before 1.5.4 and 1.6.x before 1.6.3, are at risk, exposing an untold number of systems to potential compromise.
This isn’t the first time Roundcube Webmail has found itself in the eye of a cybersecurity storm. The platform has been a favored target for hackers, with its vulnerabilities being exploited in numerous incidents over the years. Notably, the Winter Vivern Russian hacking group has leveraged a zero-day vulnerability in Roundcube in its operations against European government entities and think tanks since at least October 11, 2023.
In response to the identified threat, the Roundcube development team has taken swift action, releasing security updates aimed at patching the Stored Cross-Site Scripting (XSS) vulnerability (CVE-2023-5631) reported by ESET researchers on October 16, 2023.
The deadline is set for March 4, 2024, for U.S. federal to implement the necessary security updates or mitigations. This directive, however, extends beyond the realm of federal responsibility.
