Roundcube | Breaking Cybersecurity News | The Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday  added  a medium-severity security flaw impacting Roundcube email software to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The issue, tracked as  CVE-2023-43770  (CVSS score: 6.1), relates to a cross-site scripting (XSS) flaw that stems from the handling of linkrefs in plain text messages. "Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages," CISA said. According to a description of the bug on NIST's National Vulnerability Database (NVD), the vulnerability impacts Roundcube versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. The flaw was  addressed  by Roundcube maintainers with  version 1.6.3 , which was released on September 15, 2023. Zscaler security researcher Niraj Shivtarkar has be...

The threat actor known as  Winter Vivern  has been observed exploiting a zero-day flaw in Roundcube webmail software on October 11, 2023, to harvest email messages from victims' accounts. "Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube," ESET security researcher Matthieu Faou  said  in a new report published today. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs-of-concept are available online." Winter Vivern, also known as TA473 and UAC-0114, is an  adversarial collective  whose objectives align with that of Belarus and Russia. Over the past few months, it has been attributed to attacks against Ukraine and Poland, as well as government entities across Europe and India. The group is also assessed to have exploited another flaw Roundcube as recently as August and September (CVE-2020-35730), making it the  second nation-state group after APT28  to target the op...

"A boxer derives the greatest advantage from his sparring partner…" — Epictetus, 50–135 AD Hands up. Chin tucked. Knees bent. The bell rings, and both boxers meet in the center and circle. Red throws out three jabs, feints a fourth, and—BANG—lands a right hand on Blue down the center. This wasn't Blue's first day and despite his solid defense in front of the mirror, he feels the pressure. But something changed in the ring; the variety of punches, the feints, the intensity – it's nothing like his coach's simulations. Is my defense strong enough to withstand this? He wonders, do I even have a defense? His coach reassures him "If it weren't for all your practice, you wouldn't have defended those first jabs. You've got a defense—now you need to calibrate it. And that happens in the ring." Cybersecurity is no different. You can have your hands up—deploying the right architecture, policies, and security measures—but the smallest gap in your defense could let an attacker land a kn...