The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a vulnerability in the Roundcube email software to its Known Exploited Vulnerabilities (KEV). Identified as CVE-2023-43770 with a CVSS score of 6.1, this cross-site scripting (XSS) vulnerability has been actively exploited in the wild.
CVE-2023-43770 in Detail
The vulnerability, as described by CISA and the National Vulnerability Database (NVD), revolves around the mishandling of linkrefs in plain text messages within Roundcube Webmail. This loophole potentially leads to persistent cross-site scripting (XSS) attacks, thereby risking information disclosure through malicious link references.
Affected Roundcube Versions
Roundcube versions prior to 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 are confirmed to be susceptible to this vulnerability. However, Roundcube maintainers have promptly addressed the issue with the release of version 1.6.3 on September 15, 2023. The credit for discovering and reporting this vulnerability goes to Zscaler security researcher Niraj Shivtarkar.
While the specifics of the CVE-2023-43770 exploitation remain undisclosed, past incidents have seen web-based email client vulnerabilities weaponized by threat actors, including Russia-linked groups like APT28 and Winter Vivern. The potential impact of such exploitation underscores the urgency for users and organizations to prioritize security measures.
In response to this threat, U.S. Federal Civilian Executive Branch (FCEB) agencies have been directed to implement vendor-provided fixes by March 4, 2024. This mandate aims to fortify networks against potential cyber threats stemming from the identified vulnerability.