CISA, the Cybersecurity and Infrastructure Security Agency, has issued a warning regarding a Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail that is currently being targeted by attackers in the wild.
Threat actors are currently taking advantage of a security flaw in a popular webmail client, which is putting organizations that use this client at a high risk of being compromised.
It is crucial that immediate action is taken to address this vulnerability and protect the affected systems.
Niraj Shivtarka, a Zscaler researcher, has recently discovered a vulnerability (CVE-2023-43770) with a CVSS score of 6.1.
Roundcube is a PHP-based IMAP email client that operates in a web-based environment. It is compatible with various web servers, including Apache, LiteSpeed, Nginx, Lighttpd, Hiawatha, or Cherokee, and supports databases such as MySQL, PostgreSQL, and SQLite.
The vulnerability could expose sensitive information through malicious link references in plain text communications.
The vulnerability affects Roundcube versions earlier than 1.4.14, 1.5.x versions before 1.5.4, and 1.6.x versions before 1.6.3.
The identified vulnerability was resolved by implementing version 1.6.3, made available on September 15, 2023.
Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks
.
CISA Adds to KVE
CISA has included CVE-2023-43770 in the list of known exploited vulnerabilities. Vendors are suggested to implement mitigations or cease using the affected product.
Shodan, the search engine for internet-connected devices, has recently published a report that highlights the presence of over 132,000 Roundcube servers that are publicly available on the internet. These servers can be accessed by anyone and may pose a potential security risk if proper precautions and security measures are not in place.
Fix Available
The stable version of Roundcube Webmail 1.6.3 is available now, and we recommend that all productive installations of Roundcube 1.6.x should be updated.
A problem that was previously identified has been fixed in Debian ten buster version 1.3.17+dfsg.1-1~deb10u3. Hence, it is recommended that you upgrade your Roundcube packages.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.