Home > Cyber News > CVE-2023-43770 in Roundcube Email Software Exploited in the Wild
CYBER NEWS

CVE-2023-43770 in Roundcube Email Software Exploited in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a vulnerability in the Roundcube email software to its Known Exploited Vulnerabilities (KEV). Identified as CVE-2023-43770 with a CVSS score of 6.1, this cross-site scripting (XSS) vulnerability has been actively exploited in the wild.

CVE-2023-43770 in Roundcube Email Software Exploited in the Wild

CVE-2023-43770 in Detail

The vulnerability, as described by CISA and the National Vulnerability Database (NVD), revolves around the mishandling of linkrefs in plain text messages within Roundcube Webmail. This loophole potentially leads to persistent cross-site scripting (XSS) attacks, thereby risking information disclosure through malicious link references.




Affected Roundcube Versions

Roundcube versions prior to 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 are confirmed to be susceptible to this vulnerability. However, Roundcube maintainers have promptly addressed the issue with the release of version 1.6.3 on September 15, 2023. The credit for discovering and reporting this vulnerability goes to Zscaler security researcher Niraj Shivtarkar.

While the specifics of the CVE-2023-43770 exploitation remain undisclosed, past incidents have seen web-based email client vulnerabilities weaponized by threat actors, including Russia-linked groups like APT28 and Winter Vivern. The potential impact of such exploitation underscores the urgency for users and organizations to prioritize security measures.

In response to this threat, U.S. Federal Civilian Executive Branch (FCEB) agencies have been directed to implement vendor-provided fixes by March 4, 2024. This mandate aims to fortify networks against potential cyber threats stemming from the identified vulnerability.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree