The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a urgent warning on Monday regarding a significant security vulnerability affecting Roundcube email software. This flaw has been categorized as medium-severity and has been identified in CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling ongoing exploitation activity.
The vulnerability, identified as CVE-2023-43770 with a CVSS score of 6.1, centers around a cross-site scripting (XSS) weakness originating from the mishandling of link references within plain text messages.
CISA’s advisory states, “Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages.”
According to the National Vulnerability Database (NVD) maintained by NIST, this vulnerability affects Roundcube versions prior to 1.4.14, 1.5.x prior to 1.5.4, and 1.6.x prior to 1.6.3.
The Roundcube development team addressed this flaw in version 1.6.3, released on September 15, 2023. The discovery and reporting of this vulnerability are credited to security researcher Niraj Shivtarkar from Zscaler.
While the specific methods of exploitation remain undisclosed, it’s imperative to note that similar vulnerabilities within web-based email clients have been exploited by threat actors such as APT28 and Winter Vivern, with suspected ties to Russia, in the past.
U.S. Federal Civilian Executive Branch (FCEB) agencies are under strict mandate to implement the provided patches from vendors by March 4, 2024, to fortify their networks against potential threats.
