Roundcube Webmail XSS Vulnerability Exposes Sensitive Data

RoundCube Webmail is a browser-based, multilingual IMAP client. Its extensive feature set includes MIME support, address books, folder manipulation, message searching, spell checking, and more.

A cross-site scripting (XSS) vulnerability tracked as CVE-2023-43770 in Roundcube has been found, which might result in information leakage through malicious link references in plain/text communications.

Roundcube Webmail 1.6.3 is now available. It offers a patch for a recently discovered XSS vulnerability reported by Niraj Shivtarkar. 

“We just published a security update to version 1.6 of Roundcube Webmail. According to the release notes, it provides a fix to a recently reported XSS vulnerability”.

Among other features, Roundcube Webmail supports internationalized domain names, shared folders and namespaces, and SMTP delivery status notifications. Also, the IMAP folders’ user interface has been changed to allow more space for extensions and plug-ins.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Changelog For Version 1.6.3

  • Fix bug where installto.sh/update.sh scripts were removing some essential options from the config file (#9051)
  • Update jQuery-UI to version 1.13.2 (#9041)
  • Fix regression that broke use_secure_urls feature (#9052)
  • Fix potential PHP fatal error when opening a message with message/rfc822 part (#8953)
  • Fix bug where a duplicate <title> tag in HTML email could cause some parts to be cut off (#9029)
  • Fix bug where a list of folders could have been sorted incorrectly (#9057)
  • Fix regression where LDAP addressbook ‘filter’ option was ignored (#9061)
  • Fix wrong order of a multi-folder search result when sorting by size (#9065)
  • Fix so install/update scripts do not require PEAR (#9037)
  • Fix regression where some mail parts could have been decoded incorrectly, or not at all (#9096)
  • Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to non-binary FETCH (#9097)
  • Fix PHP8 deprecation warning in the reconnect plugin (#9083)
  • Fix “Show source” on mobile with x_frame_options = deny (#9084)
  • Fix various PHP warnings (#9098)
  • Fix deprecated use of ldap_connect() in password’s ldap_simple driver (#9060)
  • Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages

The remote Debian 10 host has packages installed that are affected by this vulnerability. 

Fix Available

Roundcube Webmail 1.6.3 is considered stable and it is recommended to update all productive installations of Roundcube 1.6.x with it.

For Debian 10 buster, this problem has been fixed in version 1.3.17+dfsg.1-1~deb10u3.

Hence, it is recommended that you upgrade your roundcube packages.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.