First published: Fri Sep 22 2023(Updated: )
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Roundcube Webmail | <1.4.14 | |
Roundcube Webmail | >=1.5.0<1.5.4 | |
Roundcube Webmail | >=1.6.0<1.6.3 | |
Debian Debian Linux | =10.0 | |
Roundcube email server | =1.4.14 | |
Roundcube email server | =1.5.x before 1.5.4 | |
Roundcube email server | =1.6.x before 1.6.3 | |
debian/roundcube | <=1.3.17+dfsg.1-1~deb10u2 | 1.3.17+dfsg.1-1~deb10u5 1.4.15+dfsg.1-1~deb11u2 1.6.5+dfsg-1~deb12u1 1.6.6+dfsg-2 |
ubuntu/roundcube | <1.3.6+dfsg.1-1ubuntu0.1~ | 1.3.6+dfsg.1-1ubuntu0.1~ |
ubuntu/roundcube | <1.4.3+dfsg.1-1ubuntu0.1~ | 1.4.3+dfsg.1-1ubuntu0.1~ |
ubuntu/roundcube | <1.5.0+dfsg.1-2ubuntu0.1~ | 1.5.0+dfsg.1-2ubuntu0.1~ |
ubuntu/roundcube | <1.6.2+dfsg-1ubuntu0.1 | 1.6.2+dfsg-1ubuntu0.1 |
ubuntu/roundcube | <1.6.3+dfsg-1 | 1.6.3+dfsg-1 |
ubuntu/roundcube | <1.2~ | 1.2~ |
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
The vulnerability ID for this Roundcube vulnerability is CVE-2023-43770.
The severity of CVE-2023-43770 is medium.
Roundcube versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 are affected by CVE-2023-43770.
CVE-2023-43770 occurs due to XSS in text/plain e-mail messages with crafted links in Roundcube.
To fix CVE-2023-43770, update Roundcube to version 1.4.14, 1.5.4, or 1.6.3.