CISA warns about Roundcube email attacks

On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) took action by adding a medium-severity security flaw that affects Roundcube email software to its Known Exploited Vulnerabilities (KEV) catalog. The decision was based on compelling evidence pointing towards active exploitation.

The specific issue, identified as CVE-2023-43770 (CVSS score: 6.1), revolves around a cross-site scripting (XSS) flaw originating from the handling of linkrefs in plain text messages.

“Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages,” stated CISA.

According to the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD), the vulnerability affects Roundcube versions prior to 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3.

Roundcube maintainers addressed the flaw with the release of version 1.6.3 on September 15, 2023. The discovery and reporting of the vulnerability are credited to Zscaler security researcher Niraj Shivtarkar.

The current exploitation methods of the vulnerability remain unknown. However, it is noteworthy that web-based email client flaws have been utilized as weapons by threat actors, such as Russia-linked APT28 and Winter Vivern, in the past year.