PT-2023-5637 · Roundcube+4 · Roundcube+4

Niraj Shivtarkar

Published

2019-11-09

Updated

2026-04-10

CVE-2023-43770

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions: Roundcube versions prior to 1.4.14, 1.5.x prior to 1.5.4, and 1.6.x prior to 1.6.3.

Description: Roundcube Webmail contains a cross-site scripting (XSS) vulnerability in the rcube string replacer.php component due to insufficient sanitization of characters in text/plain email messages. This allows a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser. The vulnerability is actively exploited in the wild, with reports of exploitation by the Winter Vivern threat actor. CISA has added this vulnerability (CVE-2023-43770) to its Known Exploited Vulnerabilities catalog.

Recommendations: Upgrade Roundcube to version 1.4.14 or later. Upgrade Roundcube to version 1.5.4 or later. Upgrade Roundcube to version 1.6.3 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2019-3109

ALT-PU-2020-1898

ALT-PU-2020-2367

ALT-PU-2021-3558

ALT-PU-2022-1073

ALT-PU-2023-6826

ALT-PU-2025-1825

ALT-PU-2025-8283

BDU:2023-06297

BIT-ROUNDCUBE-2023-43770

CVE-2023-43770

DLA-3577-1

USN-6654-1

Affected Products

Alt Linux

Linuxmint

Red Os

Roundcube

Ubuntu

PT-2023-5637 · Roundcube+4 · Roundcube+4

CVE-2023-43770

Weakness Enumeration

Related Identifiers

Affected Products

References · 103