cbcvebase.
CVE-2020-35730
published 2020-12-28

CVE-2020-35730: An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail…

PriorityP179medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-07-13
Exploited in the wild
EPSS
32.82%
98.1th percentile
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.

Affected

7 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianroundcube< roundcube 1.4.10+dfsg.1-1 (bookworm)roundcube 1.4.10+dfsg.1-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
roundcubewebmail< 1.2.131.2.13
roundcubewebmail>= 1.3.0 < 1.3.161.3.16
roundcubewebmail>= 1.4 < 1.4.101.4.10

Detection & IOCsextracted from sources · hover to see the quote

domainaneria[.]net
domainarmpress[.]net
domainceriossl[.]info
domainglobal-news-world[.]com
domainglobal-world-news[.]net
domainglobalnewsnew[.]com
domaininfocentre[.]icu
domainmai1[.]namenews[.]info
domainnewsnew[.]info
domainrunstatistics[.]net
domainsourcescdn[.]net
domainstarvars[.]top
ip46.183.219[.]207
ip77.243.181[.]238
ip144.76.69[.]94
ip46.183.219[.]232
ip45.138.87[.]250
ip144.76.7[.]190
ip77.243.181[.]10
ip5.199.162[.]132
ip185.210.217[.]218
ip144.76.184[.]94
ip162.55.241[.]4
ip185.195.236[.]230
otherukraine_news@meta[.]ua
  • The exploit is triggered by opening a malicious email in Roundcube — no attachment interaction required; the attack vector is a plain text email with JavaScript embedded in a link reference element mishandled by linkref_addindex in rcube_string_replacer.php
  • Exploitation immediately compromises the Roundcube server upon the victim opening the email, without any attachment interaction — monitor for unexpected JavaScript execution originating from Roundcube webmail sessions
  • Post-exploitation activity includes creation of email forwarding rules redirecting incoming mail to attacker-controlled addresses, and collection of session cookies, user info, and address books — hunt for anomalous forwarding rules and cookie exfiltration in Roundcube logs
  • The malicious email attachment contained JavaScript that fetched and executed additional JavaScript payloads from attacker-controlled infrastructure — monitor outbound HTTP/S requests from Roundcube server processes to external domains
  • Winter Vivern also exploited CVE-2020-35730 between August and September 2023 — broaden detection to include this threat actor's TTPs when hunting for exploitation of this vulnerability
  • ·CVE-2020-35730 affects Roundcube Webmail versions before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10 — IOCs and TTPs are only relevant against unpatched instances in these version ranges
  • ·The BlueDelta campaign combined CVE-2020-35730 with two additional Roundcube vulnerabilities (CVE-2020-12641 and CVE-2021-44026) in the same attack chain — detections and IOCs may overlap across all three CVEs
  • ·The BlueDelta infrastructure IP addresses have defined active date ranges (November 2021 – June 2023); historical detections should be scoped to those windows to reduce false positives

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vulncheck6.1MEDIUM
cisa6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.