The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday included a medium-severity security flaw impacting Roundcube email software to its Recognised Exploited Vulnerabilities (KEV) catalog, based on proof of active exploitation.
The issue, tracked as CVE-2023-43770 (CVSS rating: 6.1), relates to a cross-web site scripting (XSS) flaw that stems from the handling of linkrefs in basic textual content messages.
“Roundcube Webmail incorporates a persistent cross-internet site scripting (XSS) vulnerability that can direct to info disclosure by means of destructive connection references in simple/textual content messages,” CISA explained.
In accordance to a description of the bug on NIST’s Nationwide Vulnerability Database (NVD), the vulnerability impacts Roundcube variations ahead of 1.4.14, 1.5.x ahead of 1.5.4, and 1.6.x before 1.6.3.
The flaw was addressed by Roundcube maintainers with edition 1.6.3, which was introduced on September 15, 2023. Zscaler security researcher Niraj Shivtarkar has been credited with exploring and reporting the vulnerability.
It is really now not recognized how the vulnerability is currently being exploited in the wild, but flaws in the web-based mostly email consumer have been weaponized by Russia-connected risk actors like APT28 and Winter season Vivern previous yr.
U.S. Federal Civilian Govt Department (FCEB) organizations have been mandated to implement vendor-provided fixes by March 4, 2024, to protected their networks against prospective threats.
Discovered this report interesting? Adhere to us on Twitter and LinkedIn to read through more special content material we put up.
Some parts of this article are sourced from:
thehackernews.com