The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added a medium-severity security flaw impacting Roundcube e mail software program to its Recognized Exploited Vulnerabilities (KEV) catalog, based mostly on proof of energetic exploitation.
The difficulty, tracked as CVE-2023-43770 (CVSS rating: 6.1), pertains to a cross-site scripting (XSS) flaw that stems from the dealing with of linkrefs in plain textual content messages.
“Roundcube Webmail incorporates a persistent cross-site scripting (XSS) vulnerability that may result in data disclosure through malicious hyperlink references in plain/textual content messages,” CISA stated.
In accordance with an outline of the bug on NIST’s Nationwide Vulnerability Database (NVD), the vulnerability impacts Roundcube variations earlier than 1.4.14, 1.5.x earlier than 1.5.4, and 1.6.x earlier than 1.6.3.
The flaw was addressed by Roundcube maintainers with model 1.6.3, which was launched on September 15, 2023. Zscaler security researcher Niraj Shivtarkar has been credited with discovering and reporting the vulnerability.
It is at present not identified how the vulnerability is being exploited within the wild, however flaws within the web-based e mail consumer have been weaponized by Russia-linked menace actors like APT28 and Winter Vivern final 12 months.
U.S. Federal Civilian Govt Department (FCEB) companies have been mandated to use vendor-provided fixes by March 4, 2024, to safe their networks in opposition to potential threats.
