February 12, 2024 at 11:57PM
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a medium-severity security flaw affecting Roundcube email software to its known exploited vulnerabilities catalog. Tracked as CVE-2023-43770, the cross-site scripting (XSS) flaw in Roundcube Webmail allows for information disclosure via malicious link references. Agencies are mandated to apply fixes by March 4, 2024.
The key takeaways from the meeting notes on the Newsroom Vulnerability / Email Security are as follows:
1. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a medium-severity security flaw impacting Roundcube email software and has added it to its Known Exploited Vulnerabilities (KEV) catalog.
2. The security flaw is tracked as CVE-2023-43770 (CVSS score: 6.1) and is related to a cross-site scripting (XSS) flaw that stems from the handling of linkrefs in plain text messages.
3. Roundcube Webmail versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 are impacted by the vulnerability, which was addressed in version 1.6.3 released on September 15, 2023.
4. The vulnerability was discovered and reported by Zscaler security researcher Niraj Shivtarkar and there is currently no knowledge on how the vulnerability is being exploited in the wild.
5. U.S. Federal Civilian Executive Branch (FCEB) agencies have been mandated to apply vendor-provided fixes by March 4, 2024, to secure their networks against potential threats.
Please let me know if you need any further information or action to be taken based on these takeaways.