Alert: CISA Warns of Active 'Roundcube' Email Attacks - Patch Now
Feb 13, 2024
Vulnerability / Email Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a medium-severity security flaw impacting Roundcube email software to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The issue, tracked as CVE-2023-43770 (CVSS score: 6.1), relates to a cross-site scripting (XSS) flaw that stems from the handling of linkrefs in plain text messages. "Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages," CISA said. According to a description of the bug on NIST's National Vulnerability Database (NVD), the vulnerability impacts Roundcube versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. The flaw was addressed by Roundcube maintainers with version 1.6.3 , which was released on September 15, 2023. Zscaler security researcher Niraj Shivtarkar has been credited with dis