Roundcube · Roundcube · CVE-2023-43770
Name of the Vulnerable Software and Affected Versions:
Roundcube versions prior to 1.4.14, 1.5.x prior to 1.5.4, and 1.6.x prior to 1.6.3.
Description:
Roundcube Webmail contains a cross-site scripting (XSS) vulnerability in the `rcube string replacer.php` component due to insufficient sanitization of characters in text/plain email messages. This allows a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser. The vulnerability is actively exploited in the wild, with reports of exploitation by the Winter Vivern threat actor. CISA has added this vulnerability (CVE-2023-43770) to its Known Exploited Vulnerabilities catalog.
Recommendations:
Upgrade Roundcube to version 1.4.14 or later. Upgrade Roundcube to version 1.5.4 or later. Upgrade Roundcube to version 1.6.3 or later.