CVE-2023-43770

Published Sep 22, 2023

Last updated 7 months ago

Exploit knownCVSS medium 6.1
XSS

Overview

Description
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
Source
cve@mitre.org
NVD status
Analyzed
Products
webmail, debian_linux

Risk scores

CVSS 3.1

Type
Primary
Base score
6.1
Impact score
2.7
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Known exploits

Data from CISA

Vulnerability name
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
Exploit added on
Feb 12, 2024
Exploit action due
Mar 4, 2024
Required action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weaknesses

nvd@nist.gov
CWE-79
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-79

Social media

Hype score
Not currently trending

  1. Actively exploited CVE : CVE-2023-43770

    @transilienceai

    13 Oct 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. Actively exploited CVE : CVE-2023-43770

    @transilienceai

    12 Oct 2025

    120 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. Actively exploited CVE : CVE-2023-43770

    @transilienceai

    11 Oct 2025

    65 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. #APT28 Different XSS vulnerabilities being used to target additional webmail software: Horde, MDaemon, and Zimbra. Roundcube CVE-2020-35730 CVE-2023-43770 MDaemon CVE-2024-11182 Outlook Elevation of Privilege Vul CVE-2023-23397 Zimbra CVE-2024-27443 https://t.co/VX2gyK5WkH https:

    @blackorbird

    16 May 2025

    3161 Impressions

    22 Retweets

    63 Likes

    23 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser.CVE-2026-29964
  2. NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news addition interface. Attackers can inject JavaScript payloads via the title field in the admin panel that execute when news items are viewed by other users.CVE-2020-37236
  3. Microsoft Exchange Server Cross-Site Scripting VulnerabilityCVE-2026-42897
  4. Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.CVE-2026-34686
  5. Linux Kernel Incorrect Resource Transfer Between Spheres VulnerabilityCVE-2026-31431

References

Sources include official advisories and independent security research.