Based on evidence of active exploitation, the United States Cybersecurity and Infrastructure Security Agency ( CISA ) added a medium-severity security flaw affecting Roundcube email software to its Known Exploited Vulnerabilities (KEV ) catalog on Monday.
The problem, which is identified as CVE-2023-43770 ( CVSS score: 6.1 ), is related to a cross-site scripting ( XSS) flaw caused by how linkrefs are handled in plain text messages.
According to CISA, Roundcube Webmail has a persistent cross-site scripting ( XSS) vulnerability that can result in information disclosure through malicious link references in plaintext messages.
The vulnerability affects Roundcube versions before 1.4.14, 1.5.x before 1.5.4, and 1.6. x prior to 1.6.3, according to a description of the bug on NIST’s National Vulnerability Database ( NVD ).
Roundcube maintainers fixed the problem with version 1.6.3, which was made available on September 15, 2023. Niraj Shivtarkar, a security researcher for Zscaler, is credited with finding and disclosing the vulnerability.
Threat actors linked to Russia, such as APT28 and Winter Vivern, have used flaws in the web-based email client over the past year, though it is currently unknown how the vulnerability is being exploited.
By March 4, 2024, U.S. Federal Civilian Executive Branch (FCEB ) agencies must implement vendor-provided fixes in order to protect their networks from potential threats.