SB2023102803 - Cross-site scripting in Roundcube

Description

This security bulletin contains information about 1 security vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2023-43770)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in program/lib/Roundcube/rcube_string_replacer.php due to insufficient sanitization of user-supplied data passed via text/plain e-mail messages with crafted links. A remote attacker can send a specially crafted email message and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• https://roundcube.net/news/2023/09/15/security-update-1.6.3-released
• https://github.com/roundcube/roundcubemail/commit/e92ec206a886461245e1672d8530cc93c618a49b
• https://lists.debian.org/debian-lts-announce/2023/09/msg00024.html