The U.S. Cybersecurity and Infrastructure Security Company (CISA) on Monday added a medium-severity security flaw impacting Roundcube email software package to its Known Exploited Vulnerabilities (KEV) catalog, dependent on proof of active exploitation.
The issue, tracked as CVE-2023-43770 (CVSS score: 6.1), relates to a cross-website scripting (XSS) flaw that stems from the managing of linkrefs in plain text messages.
“Roundcube Webmail includes a persistent cross-site scripting (XSS) vulnerability that can guide to info disclosure via destructive website link references in simple/text messages,” CISA mentioned.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
According to a description of the bug on NIST’s Countrywide Vulnerability Database (NVD), the vulnerability impacts Roundcube variations just before 1.4.14, 1.5.x right before 1.5.4, and 1.6.x in advance of 1.6.3.
The flaw was addressed by Roundcube maintainers with variation 1.6.3, which was released on September 15, 2023. Zscaler security researcher Niraj Shivtarkar has been credited with exploring and reporting the vulnerability.
It truly is at present not recognised how the vulnerability is being exploited in the wild, but flaws in the web-centered email consumer have been weaponized by Russia-linked risk actors like APT28 and Winter Vivern previous 12 months.
U.S. Federal Civilian Executive Branch (FCEB) companies have been mandated to utilize seller-supplied fixes by March 4, 2024, to secure their networks towards opportunity threats.
Located this post appealing? Stick to us on Twitter and LinkedIn to go through more exclusive written content we post.
Some components of this write-up are sourced from:
thehackernews.com
Rhysida Ransomware Cracked, Free Decryption Tool Released