The U.S. Cybersecurity and Infrastructure Security Company (CISA) on Monday added a medium-severity security flaw impacting Roundcube email software package to its Known Exploited Vulnerabilities (KEV) catalog, dependent on proof of active exploitation.
The issue, tracked as CVE-2023-43770 (CVSS score: 6.1), relates to a cross-website scripting (XSS) flaw that stems from the managing of linkrefs in plain text messages.
“Roundcube Webmail includes a persistent cross-site scripting (XSS) vulnerability that can guide to info disclosure via destructive website link references in simple/text messages,” CISA mentioned.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
According to a description of the bug on NIST’s Countrywide Vulnerability Database (NVD), the vulnerability impacts Roundcube variations just before 1.4.14, 1.5.x right before 1.5.4, and 1.6.x in advance of 1.6.3.
The flaw was addressed by Roundcube maintainers with variation 1.6.3, which was released on September 15, 2023. Zscaler security researcher Niraj Shivtarkar has been credited with exploring and reporting the vulnerability.
It truly is at present not recognised how the vulnerability is being exploited in the wild, but flaws in the web-centered email consumer have been weaponized by Russia-linked risk actors like APT28 and Winter Vivern previous 12 months.
U.S. Federal Civilian Executive Branch (FCEB) companies have been mandated to utilize seller-supplied fixes by March 4, 2024, to secure their networks towards opportunity threats.
Located this post appealing? Stick to us on Twitter and LinkedIn to go through more exclusive written content we post.
Some components of this write-up are sourced from:
thehackernews.com