cbcvebase.
CVE-2023-43770
published 2023-09-22

CVE-2023-43770: Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of…

PriorityP178medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-03-04
Exploited in the wild
EPSS
58.48%
99.0th percentile
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.

Affected

5 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianroundcube< roundcube 1.6.3+dfsg-1~deb12u1 (bookworm)roundcube 1.6.3+dfsg-1~deb12u1 (bookworm)
roundcubewebmail< 1.4.141.4.14
roundcubewebmail>= 1.5.0 < 1.5.41.5.4
roundcubewebmail>= 1.6.0 < 1.6.31.6.3

Detection & IOCsextracted from sources · hover to see the quote

pathprogram/lib/Roundcube/rcube_string_replacer.php
  • CVE-2023-43770 is exploited by injecting malicious tags into hyperlink text within plain/text email messages. Detection should focus on anomalous or script-bearing link references in text/plain email bodies processed by Roundcube.
  • Monitor Roundcube webmail servers for unexpected HTTP POST requests to external/hardcoded C2 addresses originating from webmail browser sessions, which is the exfiltration method used in observed exploitation.
  • Injected JavaScript in exploitation attempts creates invisible input fields to harvest autofilled credentials from browser/password managers — look for dynamically injected hidden form fields in Roundcube DOM.
  • Roundcube installations running versions older than 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 are vulnerable; version fingerprinting of exposed Roundcube servers can prioritize targets for patching and monitoring.
  • The root cause is improper sanitization of linkrefs/hyperlink text in plain-text messages within rcube_string_replacer.php; code review or WAF rules should target unsanitized characters in that processing path.
  • ·CVE-2023-43770 only affects Roundcube instances where users access email via a browser-based webmail session; the payload has no persistence and only executes when the malicious email is opened.
  • ·CISA confirmed active exploitation and added CVE-2023-43770 to its KEV catalog; over 132,000 Roundcube servers were internet-accessible at time of reporting, making unpatched exposure a significant risk.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vulncheck6.1MEDIUM
cisa6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.