CVE-2020-35730
published 2020-12-28CVE-2020-35730: An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail…
PriorityP179medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-07-13
Exploited in the wild
EPSS
32.82%
98.1th percentile
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | roundcube | < roundcube 1.4.10+dfsg.1-1 (bookworm) | roundcube 1.4.10+dfsg.1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| roundcube | webmail | < 1.2.13 | 1.2.13 |
| roundcube | webmail | >= 1.3.0 < 1.3.16 | 1.3.16 |
| roundcube | webmail | >= 1.4 < 1.4.10 | 1.4.10 |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit is triggered by opening a malicious email in Roundcube — no attachment interaction required; the attack vector is a plain text email with JavaScript embedded in a link reference element mishandled by linkref_addindex in rcube_string_replacer.php ↗
- →Exploitation immediately compromises the Roundcube server upon the victim opening the email, without any attachment interaction — monitor for unexpected JavaScript execution originating from Roundcube webmail sessions ↗
- →Post-exploitation activity includes creation of email forwarding rules redirecting incoming mail to attacker-controlled addresses, and collection of session cookies, user info, and address books — hunt for anomalous forwarding rules and cookie exfiltration in Roundcube logs ↗
- →The malicious email attachment contained JavaScript that fetched and executed additional JavaScript payloads from attacker-controlled infrastructure — monitor outbound HTTP/S requests from Roundcube server processes to external domains ↗
- →Winter Vivern also exploited CVE-2020-35730 between August and September 2023 — broaden detection to include this threat actor's TTPs when hunting for exploitation of this vulnerability ↗
- ·CVE-2020-35730 affects Roundcube Webmail versions before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10 — IOCs and TTPs are only relevant against unpatched instances in these version ranges ↗
- ·The BlueDelta campaign combined CVE-2020-35730 with two additional Roundcube vulnerabilities (CVE-2020-12641 and CVE-2021-44026) in the same attack chain — detections and IOCs may overlap across all three CVEs ↗
- ·The BlueDelta infrastructure IP addresses have defined active date ranges (November 2021 – June 2023); historical detections should be scoped to those windows to reduce false positives ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vulncheck6.1MEDIUM
cisa6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
roundcube vulnerabilities
osv·2022-08-08·CVSS 6.1
CVE-2020-12625 [MEDIUM] roundcube vulnerabilities
roundcube vulnerabilities
It was discovered that Roundcube Webmail allowed JavaScript code to be present
in the CDATA of an HTML message. A remote attacker could possibly use this
issue to execute a cross-site scripting (XSS) attack. This issue only affected
Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-12625)
It was discovered that Roundcube Webmail incorrectly processed login and
logout POST requests. An attacker could possibly use this issue to launch a
cross-site request forgery (CSRF) attack and force an authenticated user to be
logged out. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and
Ubuntu 20.04 ESM. (CVE-2020-12626)
It was discovered that Roundcube Webmail incorrectly processed new plugin names
in rcube_plugin_api.php. An attacker could po
GHSA
GHSA-mr5j-h8xf-5m2m: linkref_addindex in rcube_string_replacer
ghsa_unreviewed·2022-05-24
CVE-2020-35730 [MEDIUM] CWE-79 GHSA-mr5j-h8xf-5m2m: linkref_addindex in rcube_string_replacer
linkref_addindex in rcube_string_replacer.php in Roundcube Webmail before 1.4.10 allows XSS via a crafted email message.
OSV
CVE-2020-35730: An XSS issue was discovered in Roundcube Webmail before 1
osv·2020-12-28·CVSS 6.1
CVE-2020-35730 [MEDIUM] CVE-2020-35730: An XSS issue was discovered in Roundcube Webmail before 1
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
VulnCheck
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
vulncheck·2020·CVSS 6.1
CVE-2020-35730 [MEDIUM] CWE-79 Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php.
Affected: Roundcube Roundcube Webmail
Required Action: Apply updates per vendor instructions.
Exploitation References: https://cert.gov.ua/article/4905829; https://go.recordedfuture.com/hubfs/reports/cta-2023-0620.pdf; https://www.recordedfuture.com/bluedelta-exploits-ukrainian-government-roundcube-mail-servers; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://blog.eclecticiq.com/spearphishing-campaign-targets-zimbra-webmail-portals-of-governme
CISA
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
cisa·2023-06-22·CVSS 6.1
CVE-2020-35730 [MEDIUM] CWE-79 Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
Vulnerability: Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
Affected: Roundcube Roundcube Webmail
Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php.
Required Action: Apply updates per vendor instructions.
Notes: https://roundcube.net/news/2020/12/27/security-updates-1.4.10-1.3.16-and-1.2.13; https://nvd.nist.gov/vuln/detail/CVE-2020-35730
Remediation Due Date: 2023-07-13
Ubuntu
Roundcube Webmail vulnerabilities
vendor_ubuntu·2022-08-08·CVSS 6.1
CVE-2020-13964 [MEDIUM] Roundcube Webmail vulnerabilities
Title: Roundcube Webmail vulnerabilities
Summary: Several security issues were fixed in Roundcube Webmail.
It was discovered that Roundcube Webmail allowed JavaScript code to be present
in the CDATA of an HTML message. A remote attacker could possibly use this
issue to execute a cross-site scripting (XSS) attack. This issue only affected
Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-12625)
It was discovered that Roundcube Webmail incorrectly processed login and
logout POST requests. An attacker could possibly use this issue to launch a
cross-site request forgery (CSRF) attack and force an authenticated user to be
logged out. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and
Ubuntu 20.04 ESM. (CVE-2020-12626)
It was discovered that Roundcube Webmail in
Debian
CVE-2020-35730: roundcube - An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3...
vendor_debian·2020·CVSS 6.1
CVE-2020-35730 [MEDIUM] CVE-2020-35730: roundcube - An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3...
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
Scope: local
bookworm: resolved (fixed in 1.4.10+dfsg.1-1)
bullseye: resolved (fixed in 1.4.10+dfsg.1-1)
forky: resolved (fixed in 1.4.10+dfsg.1-1)
sid: resolved (fixed in 1.4.10+dfsg.1-1)
trixie: resolved (fixed in 1.4.10+dfsg.1-1)
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Russian hackers breach orgs to track aid routes to Ukraine
blogs_bleepingcomputer·2025-05-21·CVSS 9.8
[CRITICAL] Russian hackers breach orgs to track aid routes to Ukraine
## Russian hackers breach orgs to track aid routes to Ukraine
## Ionut Ilascu
A Russian state-sponsored cyberespionage campaign attributed to APT28 (Fancy Bear/Forest Blizzard) hackers has been targeting and compromising international organizations since 2022 to disrupt aid efforts to Ukraine.
The hackers targeted entities in the defense, transportation, IT services, air traffic, and maritime sectors in 12 European countries and the United States.
Additionally, the hackers have been tracking the movement of materials into Ukraine by compromising access to private cameras installed in key locations (e.g. border crossings, military installations, rail stations).
A joint advisory from 21 intelligence and cybersecurity agencies in nearly a dozen countries shares the tactics, techniques, a
Bleepingcomputer
Government webmail hacked via XSS bugs in global spy campaign
blogs_bleepingcomputer·2025-05-15·CVSS 6.1
[MEDIUM] Government webmail hacked via XSS bugs in global spy campaign
## Government webmail hacked via XSS bugs in global spy campaign
## Bill Toulas
Notable targets include governments in Greece, Ukraine, Serbia, and Cameroon, military units in Ukraine and Ecuador, defense companies in Ukraine, Bulgaria, and Romania, and critical infrastructure in Ukraine and Bulgaria.
## Open email, have data stolen
The attack starts with a spear-phishing email referencing current news or political events, often including excerpts from news articles to add legitimacy.
A malicious JavaScript payload embedded in the HTML body of the email triggers the exploitation of a cross-site scripting (XSS) vulnerability in the webmail browser page used by the recipient.
All that is needed from the victim is to open the email to view it, as no other interaction/clicks, redirection
Bleepingcomputer
CISA: Roundcube email server bug now exploited in attacks
blogs_bleepingcomputer·2024-02-12·CVSS 6.1
CVE-2023-43770 [MEDIUM] CISA: Roundcube email server bug now exploited in attacks
## CISA: Roundcube email server bug now exploited in attacks
## Sergiu Gatlan
CISA warns that a Roundcube email server vulnerability patched in September is now actively exploited in cross-site scripting (XSS) attacks.
The security flaw ( CVE-2023-43770 ) is a persistent cross-site scripting (XSS) bug that lets attackers access restricted information via plain/text messages maliciously crafted links in low-complexity attacks requiring user interaction.
The vulnerability impacts Roundcube email servers running versions newer than 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3.
"We strongly recommend to update all productive installations of Roundcube 1.6.x with this new version," the Roundcube security team said when it released CVE-2023-43770 security updates five months ago.
Whi
Securelist
Advanced threat predictions for 2024
blogs_securelist·2023-11-14
Advanced threat predictions for 2024
Table of Contents
A review of last year’s predictions
1. The rise of destructive attacks
2. Mail servers become priority targets
3. The next WannaCry
4. APT targeting turns toward satellite technologies, producers and operators
5. Hack-and-leak is the new black (and bleak)
6. More APT groups will move from Cobalt Strike to other alternatives
7. SIGINT-delivered malware
8. Drone hacking!
APT predictions for 2024
The rise of creative exploits for mobile, wearables and smart devices
Building new botnets with consumer and corporate software and appliances
Barriers to kernel-level code execution increasingly evaded (kernel rootkits hot again)
Growth in cyberattacks by state-sponsored actors
Hacktivism in cyber-warfare: the new normal in geopolitical conflicts
Supply chain attack
Securelist
Kaspersky Security Bulletin: APT predictions 2024
blogs_securelist·2023-11-14
Kaspersky Security Bulletin: APT predictions 2024
Table of Contents
- A review of last year’s predictions
- APT predictions for 2024
Authors
- GReAT
Advanced persistent threats (APTs) are the most dangerous threats, as they employ complex tools and techniques, and often are highly targeted and hard to detect. Amid the global crisis and escalating geopolitical confrontations, these sophisticated cyberattacks are even more dangerous, as there is often more at stake.
At Kaspersky’s Global Research and Analysis Team (GReAT), we monitor a number of APT groups, analyze trends and try to anticipate their future developments to keep ahead of the evolving threat landscape and keep our customers safe. In this article, we will review the past year’s trends to see which of our 2023 predictions have come true, and try to predict what is to come i
Bleepingcomputer
France says Russian state hackers breached numerous critical networks
blogs_bleepingcomputer·2023-10-26·CVSS 9.8
CVE-2023-38831 [CRITICAL] France says Russian state hackers breached numerous critical networks
## France says Russian state hackers breached numerous critical networks
## Bill Toulas
The Russian APT28 hacking group (aka 'Strontium' or 'Fancy Bear') has been targeting government entities, businesses, universities, research institutes, and think tanks in France since the second half of 2021.
The threat group, which is considered part of Russia's military intelligence service GRU, was recently linked to the exploitation of CVE-2023-38831 , a remote code execution vulnerability in WinRAR, and CVE-2023-23397 , a zero-day privilege elevation flaw in Microsoft Outlook.
The Russian hackers have been compromising peripheral devices on critical networks of French organizations and moving away from utilizing backdoors to evade detection.
This is according to a newly published report from
Bleepingcomputer
European govt email servers hacked using Roundcube zero-day
blogs_bleepingcomputer·2023-10-25·CVSS 6.1
CVE-2023-5631 [MEDIUM] European govt email servers hacked using Roundcube zero-day
## European govt email servers hacked using Roundcube zero-day
## Sergiu Gatlan
The Winter Vivern Russian hacking group has been exploiting a Roundcube Webmail zero-day in attacks targeting European government entities and think tanks since at least October 11.
The Roundcube development team released security updates fixing the Stored Cross-Site Scripting (XSS) vulnerability ( CVE-2023-5631 ) reported by ESET researchers on October 16.
These security patches were pushed five days after the Slovak cybersecurity company detected Russian threat actors using the zero-day in real-world attacks.
According to ESET's findings, the cyberespionage group (also known as TA473) used HTML email messages containing carefully crafted SVG documents to remotely inject arbitrary JavaScript code.
Their
Checkpoint
3rd July – Threat Intelligence Report
blogs_checkpoint·2023-07-03
CVE-2020-12641 3rd July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 3rd July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 3rd July, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
The LockBit ransomware group has recently claimed responsibility for hacking the Taiwan Semiconductor Manufacturing Company (TSMC), the largest contract chip manufacturer globally, serving tech giants such as Apple and Qualcomm. TSMC denied it was breached by Lockbit, but confirmed that the group has breached one of the company’s I
Recorded Future
BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities
blogs_recorded_future·CVSS 9.8
[CRITICAL] BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities
# BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities
Recorded Future's Insikt Group, in partnership with Ukraine's Computer Emergency Response Team (CERT-UA), has uncovered a campaign targeting high-profile entities in Ukraine that was cross-correlated with a spearphishing campaign uncovered by Recorded Future’s Network Traffic Intelligence. The campaign leveraged news about Russia’s war against Ukraine to encourage recipients to open emails, which immediately compromised vulnerable Roundcube servers (an open-source webmail software), using CVE-2020-35730, without engaging with the attachment. We found that the campaign overlaps with historic BlueDelta activity exploiting the Microsoft Outlook zero-day vulnerability CVE-2023-23397 in 2022.
The
Recorded Future
BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities | Recorded Future
blogs_recorded_future·CVSS 9.8
[CRITICAL] BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities | Recorded Future
## BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities
Recorded Future's Insikt Group, in partnership with Ukraine's Computer Emergency Response Team (CERT-UA), has uncovered a campaign targeting high-profile entities in Ukraine that was cross-correlated with a spearphishing campaign uncovered by Recorded Future’s Network Traffic Intelligence. The campaign leveraged news about Russia’s war against Ukraine to encourage recipients to open emails, which immediately compromised vulnerable Roundcube servers (an open-source webmail software), using CVE-2020-35730 , without engaging with the attachment. We found that the campaign overlaps with historic BlueDelta activity exploiting the Microsoft Outlook zero-day vulnerability CVE-2023-23397 in 2022.
Th
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10https://github.com/roundcube/roundcubemail/releases/tag/1.2.13https://github.com/roundcube/roundcubemail/releases/tag/1.3.16https://github.com/roundcube/roundcubemail/releases/tag/1.4.10https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMLIZWKMTRCLU7KZLEQHELS4INXJ7X5Q/https://roundcube.net/download/https://www.alexbirnberg.com/roundcube-xss.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10https://github.com/roundcube/roundcubemail/releases/tag/1.2.13https://github.com/roundcube/roundcubemail/releases/tag/1.3.16https://github.com/roundcube/roundcubemail/releases/tag/1.4.10https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMLIZWKMTRCLU7KZLEQHELS4INXJ7X5Q/https://roundcube.net/download/https://www.alexbirnberg.com/roundcube-xss.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-35730
2020-12-28
Published
2023-06-22
Added to CISA KEV
Exploited in the wild