Roundcube CVE-2023-43770 webmail vulnerability actively exploited by hackers
Take action: Another relatively low severity score vulnerability that's actively exploited. Much like others XSS attacks, hackers are attacking is via packaging the exploit in an e-mail message and persuading a person close to the system run the exploit for them.
Learn More
Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about the active exploitation of a vulnerability in Roundcube webmail software. Roundcube is a widely used open-source, web-based IMAP email client that offers an application-like user experience and is commonly used in government and public institutions.
The vulnerability, tracked as CVE-2023-43770 (CVSS score 6.1) is a cross-site scripting (XSS) vulnerability. This vulnerability is exploitable through plain text email messages containing crafted links. When exploited, it could lead to unauthorized information disclosure by allowing attackers to execute arbitrary JavaScript within the context of the user's session.
Vulnerable versions of Roundcube are
- 1.4.14,
- all 1.5.x versions prior to 1.5.4,
- all 1.6.x versions before 1.6.3.
Proof-of-concept exploit code for CVE-2023-43770 has been publicly available for several months, enabling near-automatic attack tooling.
