⚠ Actively exploited

Added to CISA KEV on 2023-06-22. Federal agencies required to patch by 2023-07-13. Required action: Apply updates per vendor instructions..

CVE-2020-35730 — Cross-site Scripting in Webmail

CWE-79 — Cross-site Scripting18 documents11 sources

Severity

6.1MEDIUMNVD

EPSS

64.8%

top 1.53%

CISA KEV

KEV

Added 2023-06-22

Due 2023-07-13

Exploit

Exploited in wild

Active exploitation observed

Affected products

Roundcube Webmail Debian Linux Fedoraproject Fedora

Timeline

PublishedDec 28

KEV addedJun 22

KEV dueJul 13

Latest updateMay 21

CISA Required Action: Apply updates per vendor instructions.

Description

An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDroundcube/webmail1.3.0 — 1.3.16+2

Also affects: Debian Linux 9.0, Fedora 32, 33

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

roundcube vulnerabilities↗2022-08-08

▶

GHSA

GHSA-mr5j-h8xf-5m2m: linkref_addindex in rcube_string_replacer↗2022-05-24

▶

CVEList

CVE-2020-35730: An XSS issue was discovered in Roundcube Webmail before 1↗2020-12-28

▶

OSV

CVE-2020-35730: An XSS issue was discovered in Roundcube Webmail before 1↗2020-12-28

▶

VulnCheck

Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability↗2020

▶

📋Vendor Advisories

CISA

Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability↗2023-06-22

▶

Ubuntu

Roundcube Webmail vulnerabilities↗2022-08-08

▶

Debian

CVE-2020-35730: roundcube - An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3...↗2020

▶

🕵️Threat Intelligence

Bleepingcomputer

Russian hackers breach orgs to track aid routes to Ukraine↗2025-05-21

▶

Bleepingcomputer

Government webmail hacked via XSS bugs in global spy campaign↗2025-05-15

▶

Bleepingcomputer

CISA: Roundcube email server bug now exploited in attacks↗2024-02-12

▶

Securelist

Advanced threat predictions for 2024↗2023-11-14

▶

Securelist

Kaspersky Security Bulletin: APT predictions 2024↗2023-11-14

▶