CISA Warns Of Active 'Roundcube' Email Attacks

A security flaw of medium severity that affects Roundcube email software was added to the database of Known Exploited Vulnerabilities (KEV) on Monday by the United States Cybersecurity and Infrastructure Security Agency (CISA). This flaw affects Roundcube email software. This particular modification was introduced on the basis of evidence that the problem was being actively exploited.

There is a cross-site scripting (XSS) vulnerability that is connected with the issue, which has been given the number CVE-2023-43770 and has a CVSS score of 6.1. This vulnerability is caused by the way linkrefs are handled in plain text communications.

“Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages,” according to the organization.

Roundcube versions previous to 1.4.14, 1.5.x prior to 1.5.4, and 1.6.x prior to 1.6.3 are all affected by the vulnerability, according to a description of the problem that can be found on the National Vulnerability Database (NVD) of the National Institute of Standards and Technology (NIST). Additional information on the vulnerability can be found on the NIST website.

In version 1.6.3, which was made available to the general public on September 15, 2023, the Roundcube maintainers incorporated a patch for the vulnerability that was discovered. Niraj Shivtarkar, a security researcher at Zscaler, is identified as the person responsible for detecting and disclosing the vulnerability. In addition to that, he is credited for identifying the problem.

Despite the fact that there is currently no information available on the method in which the vulnerability is being exploited in the field, vulnerabilities in the web-based email client have been weaponized by threat actors with links to Russia in 2015. These threat actors include APT28 and Winter Vivern.

When it comes to protecting their networks from potential dangers, the agencies that fall under the jurisdiction of the Federal Civilian Executive Branch (FCEB) of the United States of America have been granted the power to deploy solutions that are offered by vendors, with the deadline for doing so being March 4, 2024.