In a recent update from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), there’s good news for Roundcube email users. CISA has identified and addressed a medium-severity security flaw affecting Roundcube email software. This flaw, identified as CVE-2023-43770, has prompted CISA to include it in their Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation.
The vulnerability, rated with a CVSS score of 6.1, revolves around a cross-site scripting (XSS) issue triggered by the handling of linkrefs in plain text messages. CISA’s statement highlighted the potential risk of information disclosure through malicious link references in plain text messages.
According to details listed on NIST’s National Vulnerability Database (NVD), this vulnerability impacts Roundcube versions predating 1.4.14, 1.5.x prior to 1.5.4, and 1.6.x before 1.6.3. However, the diligent efforts of Roundcube maintainers led to the release of version 1.6.3 on September 15, 2023, effectively addressing the flaw. Credit for discovering and reporting the vulnerability goes to Zscaler security researcher Niraj Shivtarkar.
While the specifics of the exploitation remain unclear, it’s essential to note that similar vulnerabilities in web-based email clients have been exploited by threat actors in the past, including Russia-linked groups like APT28 and Winter Vivern.
To ensure robust network security, U.S. Federal Civilian Executive Branch (FCEB) agencies have been directed to implement vendor-provided fixes by March 4, 2024. This proactive measure aims to safeguard networks against potential threats, emphasizing the importance of timely updates and vigilant cybersecurity practices. Stay informed, stay secure!
Interesting Article : U.S. Government Offers $10 Million Bounty to Halt Hive Ransomware Leaders
Pingback: PikaBot: A New Dawn in Cybersecurity