Back to KEVs

CVE-2023-43770

Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of...

Basic Information

CVE State
PUBLISHED
Reserved Date
September 22, 2023
Published Date
September 22, 2023
Last Updated
August 02, 2024
Vendor
n/a
Product
n/a
Description
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.

CVSS Scores

CVSS v3.1

6.1 - MEDIUM

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

SSVC Information

Exploitation
active
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (added 2024-02-12 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2023-09-28 13:43:25 UTC) Source

References

https://github.com/roundcube/roundcubemail/commit/e92ec206a886461245e1672d8530cc93c618a49b https://roundcube.net/news/2023/09/15/security-update-1.6.3-released https://lists.debian.org/debian-lts-announce/2023/09/msg00024.html

Known Exploited Vulnerability Information

Source Added Date
CISA 2024-02-12 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

knight0x07/CVE-2023-43770-PoC

Type: github • Created: 2023-09-28 13:43:25 UTC • Stars: 3

PoC for Stored XSS (CVE-2023-43770) Vulnerability

s3cb0y/CVE-2023-43770-POC

Type: github • Created: 2023-09-27 17:08:23 UTC • Stars: 33

A Proof-Of-Concept for the CVE-2023-43770 vulnerability.