A vulnerability in the Roundcube email server platform is being actively exploited, the US government has warned, urging its agencies to apply the patch and secure their agencies as early as possible.
In a security advisory, the Cybersecurity and Infrastructure Security Agency (CISA) said that a persistent cross-site scripting (XSS) bug is being actively exploited in the wild. The bug, tracked as CVE-2023-43770, is exploited via customized plain text messages and links.
The flaw affects versions of Roundcube email servers between 1.4.14 and 1.5.4 and versions between 1.6.0 and 1.6.3. The patch was released about six months ago. CISA also said that US Federal Civilian Executive Branch (FCEB) agencies have until March 4 to patch the vulnerability and secure their endpoints.
The private sector is also at risk
Although CISA focuses exclusively on government agencies, this does not mean that private sector organizations are not also at risk.
a BleepingComputer According to the report, there are currently more than 130,000 Roundcube servers on the Internet. There’s no telling how many of these are vulnerable to the cross-site scripting vulnerability.
The same publication also notes that there was a similar Roundcube (cross-site scripting) flaw, tracked as CVE-2023-5631. This was exploited as a zero-day by a Russian threat actor known as Winter Vivern. The campaign apparently started on October 11 last year and resulted in the hackers stealing emails from compromised Roundcube webmail servers of government agencies and think tanks in Europe.
Roundcube is a web-based IMAP email client, whose most popular feature is the widespread use of Ajax technology. The product is free and open source, subject to the terms of the GNU General Public License (except for skins and plugins). It was first released in 2008, 16 years ago.