CISA adds Roundcube Webmail Persistent XSS bug to its Known Exploited Vulnerabilities catalog

CISA adds Roundcube Webmail Persistent XSS bug to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini
February 12, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Roundcube Webmail Persistent Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2023-43770, to its Known Exploited Vulnerabilities (KEV) catalog.

Roundcube is an open-source web-based email client. It provides a user-friendly interface for accessing email accounts via a web browser. Users can send and receive emails, manage their contacts, organize messages into folders, and perform various other email-related tasks. Roundcube supports standard email protocols such as IMAP and SMTP, making it compatible with a wide range of email servers.

The exploitation of the vulnerability can lead to information disclosure via malicious link references in plain/text messages.

The vulnerability was discovered by Niraj Shivtarka, it impacts Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. The vulnerability was fixed with the release of version 1.6.3.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 4, 2024.

In October, Russia-linked APT group Winter Vivern (aka TA473) was observed exploiting another zero-day flaw in Roundcube webmail software.

ESET researchers pointed out that is a different vulnerability than CVE-2020-35730, that the group exploited in other attacks.

ESET reported the zero-day to Roundcube, and the company patched the issue on October 14^th, 2023. The vulnerability affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Known Exploited Vulnerabilities catalog)