CISA adds Roundcube Webmail XSS Vulnerability to KEV catalog

This content has been archived. But, the content is true and relevant to the underlying technology products or infrastructure services.

The CISA has added Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability to the Known Exploited Vulnerability (KEV) database list. We look at the details of the vulnerability below.

Salient points about CVE-2023-43770

  • The Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages.
  • Zscaler’s Niraj Shivtarkar detected the vulnerability, and the company released a patch in September 2023 to fix the XSS issue.
  • This XSS vulnerability is tracked under CVE-2023-43770. It has a CVSS score of 6.1 and ‘MEDIUM’ severity.
  • The CISA added CVE-2023-43770 to the KEV database on 12 February 2024. The mitigation or workaround needs to be deployed prior to 4 March 2024.
  • The Roundcube developers had released a security patch or the version 1.6 .3 of Roundcube Webmail to resolve the XSS threat on 15 September 2023.
  • It is unclear if ransomware threat actors could use this vulnerability to target potential networks and systems.
  • The CISA suggests immediate patching of the affected Roundcube webmail versions. If it is not possible to upgrade to the latest version of Roundcube webmail, the CISA recommends to stop using the Roundcube webmail framework.

What versions of Roundcube are affected?

The XSS vulnerability affects the following versions of the Roundcube webmail framework:

  • Roundcube before 1.4.14
  • Roundcube 1.5.x series before 1.5.4 version
  • Roundcube 1.6.x series before 1.6.3 version

What is the CVE-2023-43770 XSS vulnerability?

The CVE-2023-43770 security vulnerability allows XSS (Cross site scripting) via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.

The vulnerability has a CVSS score of 6.1 and a severity rating of ‘MEDIUM’. You can find more details of the vulnerability on the NIST website.

What is the workaround for CVE-2023-43770?

There are 2 potential ways to get rid of the CVE-2023-43770 security vulnerabilty affecting the Roundcube webmail framework.

  1. Upgrade Roundcube webmail installation to version 1.6.3. The latest version of Roundcube webmail 1.6.3 was released on 15 September 2023. You can find more information about the software patch on the GitHub page of Roundcube webmail. The size of the update file is well under 4 MB. So, the installation or upgrade will be brisk.
  2. If an upgrade of Roundcube webmail is not feasible, please stop using the Roundcube webmail framework in the infrastructure.

The NIST recommends patching this software vulnerability in the Roundcube Webmail Framework before 4 March 2024.

More Security stories

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.