KEVIntel
Back to KEVs
6.1
CVSS
Medium

CVE-2023-43770

PUBLISHED

Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of...

Exploited in the wild Remote Low complexity
Vendor
Roundcube
Product
Roundcube Webmail
Published
Sep 22, 2023
EPSS

Description

Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.

php cisa nessus_scanner

CVSS scores

CVSS v3.1 6.1 Medium

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitation status

Exploited in the wild

Recorded 2024-02-12 00:00:00 UTC · Source

SSVC decision points

Exploitation
active
Automatable
No
Technical impact
partial

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CISA Feb 12, 2024

Scanner integrations

Scanner Reference Detected
Nessus https://www.tenable.com/plugins/nessus/114553 Jun 02, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

knight0x07/CVE-2023-43770-PoC

github · Created 2023-09-28 13:43:25 UTC · 3 stars

PoC for Stored XSS (CVE-2023-43770) Vulnerability

s3cb0y/CVE-2023-43770-POC

github · Created 2023-09-27 17:08:23 UTC · 33 stars

A Proof-Of-Concept for the CVE-2023-43770 vulnerability.

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Detected by Nessus