CISA has issued an alert about a Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail, identified as CVE-2023-43770, which attackers are actively exploiting. Discovered by Niraj Shivtarka of Zscaler, this vulnerability, with a CVSS score of 6.1, affects versions of Roundcube prior to 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. Roundcube, a PHP-based IMAP client compatible with various web servers and databases, could leak sensitive information through malicious links in plain text communications.
The vulnerability has been patched in Roundcube version 1.6.3, released on September 15, 2023. CISA has added CVE-2023-43770 to its list of known exploited vulnerabilities, urging vendors to apply mitigations or stop using the affected versions. Over 132,000 Roundcube servers are publicly accessible online, posing potential risks if not secured properly.
The stable version 1.6.3 of Roundcube Webmail is now available for update, and a specific fix has also been implemented in Debian ten buster version 1.3.17+dfsg.1-1~deb10u3.
Source: Cyber Security News
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.