CVE-2023-43770
published 2023-09-22CVE-2023-43770: Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of…
PriorityP178medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-03-04
Exploited in the wild
EPSS
58.48%
99.0th percentile
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | roundcube | < roundcube 1.6.3+dfsg-1~deb12u1 (bookworm) | roundcube 1.6.3+dfsg-1~deb12u1 (bookworm) |
| roundcube | webmail | < 1.4.14 | 1.4.14 |
| roundcube | webmail | >= 1.5.0 < 1.5.4 | 1.5.4 |
| roundcube | webmail | >= 1.6.0 < 1.6.3 | 1.6.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2023-43770 is exploited by injecting malicious tags into hyperlink text within plain/text email messages. Detection should focus on anomalous or script-bearing link references in text/plain email bodies processed by Roundcube. ↗
- →Monitor Roundcube webmail servers for unexpected HTTP POST requests to external/hardcoded C2 addresses originating from webmail browser sessions, which is the exfiltration method used in observed exploitation. ↗
- →Injected JavaScript in exploitation attempts creates invisible input fields to harvest autofilled credentials from browser/password managers — look for dynamically injected hidden form fields in Roundcube DOM. ↗
- →Roundcube installations running versions older than 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 are vulnerable; version fingerprinting of exposed Roundcube servers can prioritize targets for patching and monitoring. ↗
- →The root cause is improper sanitization of linkrefs/hyperlink text in plain-text messages within rcube_string_replacer.php; code review or WAF rules should target unsanitized characters in that processing path. ↗
- ·CVE-2023-43770 only affects Roundcube instances where users access email via a browser-based webmail session; the payload has no persistence and only executes when the malicious email is opened. ↗
- ·CISA confirmed active exploitation and added CVE-2023-43770 to its KEV catalog; over 132,000 Roundcube servers were internet-accessible at time of reporting, making unpatched exposure a significant risk. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vulncheck6.1MEDIUM
cisa6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
roundcube vulnerability
osv·2024-02-26·CVSS 6.1
CVE-2023-43770 [MEDIUM] roundcube vulnerability
roundcube vulnerability
It was discovered that Roundcube Webmail incorrectly sanitized characters
in the linkrefs text messages. An attacker could possibly use this issue to
execute a cross-site scripting (XSS) attack. (CVE-2023-43770)
OSV
CVE-2023-43770: Roundcube before 1
osv·2023-09-22·CVSS 6.1
CVE-2023-43770 [MEDIUM] CVE-2023-43770: Roundcube before 1
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
GHSA
GHSA-g3fv-4f2h-xwv4: Roundcube before 1
ghsa_unreviewed·2023-09-22
CVE-2023-43770 [MEDIUM] CWE-79 GHSA-g3fv-4f2h-xwv4: Roundcube before 1
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
VulnCheck
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
vulncheck·2023·CVSS 6.1
CVE-2023-43770 [MEDIUM] CWE-79 Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages.
Affected: Roundcube Roundcube Webmail
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cert.gov.ua/article/6281123; https://www.welivesecurity.com/en/eset-research/operation-roundpress/; https://blog.polyswarm.io/fancy-bears-spypress-malware; https://cyble.com/blog/critical-it-vulnerabilities-flagged-in-cyble-report/; https://www.cyfirma.com/research/apt-
Ubuntu
Roundcube Webmail vulnerability
vendor_ubuntu·2024-02-26·CVSS 6.1
CVE-2023-43770 [MEDIUM] Roundcube Webmail vulnerability
Title: Roundcube Webmail vulnerability
Summary: Roundcube Webmail could allow cross-site scripting (XSS) attacks.
It was discovered that Roundcube Webmail incorrectly sanitized characters
in the linkrefs text messages. An attacker could possibly use this issue to
execute a cross-site scripting (XSS) attack. (CVE-2023-43770)
Instructions: In general, a standard system update will make all the necessary changes.
CISA
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
cisa·2024-02-12·CVSS 6.1
CVE-2023-43770 [MEDIUM] CWE-79 Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
Vulnerability: Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
Affected: Roundcube Webmail
Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://roundcube.net/news/2023/09/15/security-update-1.6.3-released ; https://nvd.nist.gov/vuln/detail/CVE-2023-43770
Remediation Due Date: 2024-03-04
Debian
CVE-2023-43770: roundcube - Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS v...
vendor_debian·2023·CVSS 6.1
CVE-2023-43770 [MEDIUM] CVE-2023-43770: roundcube - Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS v...
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
Scope: local
bookworm: resolved (fixed in 1.6.3+dfsg-1~deb12u1)
bullseye: resolved (fixed in 1.4.14+dfsg.1-1~deb11u1)
forky: resolved (fixed in 1.6.3+dfsg-1)
sid: resolved (fixed in 1.6.3+dfsg-1)
trixie: resolved (fixed in 1.6.3+dfsg-1)
Suricata
ET EXPLOIT RoundCube Webmail Persistent XSS Attempt (CVE-2023-43770)
suricata·2024-03-28·CVSS 6.1
CVE-2023-43770 [MEDIUM] ET EXPLOIT RoundCube Webmail Persistent XSS Attempt (CVE-2023-43770)
ET EXPLOIT RoundCube Webmail Persistent XSS Attempt (CVE-2023-43770)
Rule: alert smtp any any -> [$SMTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT RoundCube Webmail Persistent XSS Attempt (CVE-2023-43770)"; flow:established,to_server; content:"Content-Type: text/plain|3b|"; content:"|0a 0a 5b 3c|"; fast_pattern; pcre:"/^[^\x3e\x0d\x0a]*?(?:[\x20\x27\x22\x2f]on[a-z]+\x3d|(?:\x3cs(?:cript[\x3a\x3e\x20\x2b\x2f]|tyle\x3d)|\x3ciframe[\x20\x2f]))/R"; reference:cve,2023-43770; classtype:attempted-user; sid:2051827; rev:2; metadata:attack_target Networking_Equipment, created_at 2024_03_28, cve CVE_2023_43770, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2026_01_14;)
No public exploits indexed.
Bleepingcomputer
Government webmail hacked via XSS bugs in global spy campaign
blogs_bleepingcomputer·2025-05-15·CVSS 6.1
[MEDIUM] Government webmail hacked via XSS bugs in global spy campaign
## Government webmail hacked via XSS bugs in global spy campaign
## Bill Toulas
Notable targets include governments in Greece, Ukraine, Serbia, and Cameroon, military units in Ukraine and Ecuador, defense companies in Ukraine, Bulgaria, and Romania, and critical infrastructure in Ukraine and Bulgaria.
## Open email, have data stolen
The attack starts with a spear-phishing email referencing current news or political events, often including excerpts from news articles to add legitimacy.
A malicious JavaScript payload embedded in the HTML body of the email triggers the exploitation of a cross-site scripting (XSS) vulnerability in the webmail browser page used by the recipient.
All that is needed from the victim is to open the email to view it, as no other interaction/clicks, redirection
Bleepingcomputer
Hackers exploit Roundcube webmail flaw to steal email, credentials
blogs_bleepingcomputer·2024-10-21·CVSS 6.1
[MEDIUM] Hackers exploit Roundcube webmail flaw to steal email, credentials
## Hackers exploit Roundcube webmail flaw to steal email, credentials
## Bill Toulas
Threat actors have been exploiting a vulnerability in the Roundcube Webmail client to target government organizations in the Commonwealth of Independent States (CIS) region, the successor of the former Soviet Union.
An attack was discovered by Russian cybersecurity company Positive Technologies in September, but the researchers determined that the threat actor activity had started in June.
Roundcube Webmail is an open-source, PHP-based webmail solution with support for plugins to extend its functionality, that is popular with commercial and government entities.
The threat actor exploited a medium-severity stored XSS (cross-site scripting) vulnerability identified as CVE-2024-37383, which allows the ex
Bleepingcomputer
CISA: Roundcube email server bug now exploited in attacks
blogs_bleepingcomputer·2024-02-12·CVSS 6.1
CVE-2023-43770 [MEDIUM] CISA: Roundcube email server bug now exploited in attacks
## CISA: Roundcube email server bug now exploited in attacks
## Sergiu Gatlan
CISA warns that a Roundcube email server vulnerability patched in September is now actively exploited in cross-site scripting (XSS) attacks.
The security flaw ( CVE-2023-43770 ) is a persistent cross-site scripting (XSS) bug that lets attackers access restricted information via plain/text messages maliciously crafted links in low-complexity attacks requiring user interaction.
The vulnerability impacts Roundcube email servers running versions newer than 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3.
"We strongly recommend to update all productive installations of Roundcube 1.6.x with this new version," the Roundcube security team said when it released CVE-2023-43770 security updates five months ago.
Whi
https://github.com/roundcube/roundcubemail/commit/e92ec206a886461245e1672d8530cc93c618a49bhttps://lists.debian.org/debian-lts-announce/2023/09/msg00024.htmlhttps://roundcube.net/news/2023/09/15/security-update-1.6.3-releasedhttps://github.com/roundcube/roundcubemail/commit/e92ec206a886461245e1672d8530cc93c618a49bhttps://lists.debian.org/debian-lts-announce/2023/09/msg00024.htmlhttps://roundcube.net/news/2023/09/15/security-update-1.6.3-releasedhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-43770
2023-09-22
Published
2024-02-12
Added to CISA KEV
Exploited in the wild