XSS in Roundcube text/plain message link handling
CVE-2023-43770 is a cross-site scripting vulnerability in Roundcube Webmail affecting versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. The flaw is triggered when Roundcube processes crafted links in text/plain email messages due to unsafe behavior in program/lib/Roundcube/rcube_string_replacer.php. A specially crafted email can cause attacker-controlled JavaScript to execute in the context of the victim’s authenticated Roundcube webmail session when the message is viewed. Reporting in the provided content indicates the issue was operationally exploited in espionage campaigns, including so-called zero-click or near-zero-click scenarios where opening or merely viewing the email in the webmail interface was sufficient to trigger script execution.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository provides a proof-of-concept (POC) exploit for CVE-2023-43770, a stored cross-site scripting (XSS) vulnerability in Roundcube Webmail (versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3). The exploit consists of a single Python script (cve-2023-43770.py) that sends a specially crafted plain text email containing a malicious JavaScript payload to a target user. The script requires the attacker to provide sender email credentials and the recipient's email address, and it uses SMTP (defaulting to smtp.gmail.com:587) to deliver the payload. When the victim views the email in a vulnerable Roundcube instance, the JavaScript executes, demonstrating the XSS vulnerability. The repository also includes a README.md with usage instructions, references, and a disclaimer. No detection or scanning functionality is present; the code is strictly a POC for educational and testing purposes.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A specific Roundcube vulnerability referenced as the key flaw to patch in connection with FancyBear's webmail exploitation campaign and XSS-based compromise activity.
A specific vulnerability in Roundcube webmail that the report says FancyBear/APT28 exploited as part of this campaign, tied to the same C2 infrastructure and used against government and military targets.
A cross-site scripting (XSS) vulnerability in Roundcube and Zimbra webmail platforms, exploited for zero-click attacks by APT28.
A cross-site scripting (XSS) vulnerability in Roundcube webmail that was reportedly weaponized to enable zero-click style attacks leading to credential and email data theft via injected malicious code and abuse of the webmail API.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.