Roundcube - Cross Site Scripting CVE-2023-43770
- Severity
- Vulnerability description
Roundcube versions up to 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. The email client does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This could allow a remote attacker to load arbitrary JavaScript code.
- Risk description
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.
- Recommendation
Update to one of the fixed versions: 1.4.15, 1.5.5, 1.6.4 or above.
- References
- https://security-tracker.debian.org/tracker/CVE-2023-43770https://nvd.nist.gov/vuln/detail/CVE-2023-43770
- Codename
- Not available
- Detectable with
- Network Scanner
- Scan engine
- Nuclei
- Exploitable with Sniper
- No
- CVE Published
- Aug 28, 2023
- Detection added at
- Software Type
- Not available
- Vendor
- Not available
- Product
- Not available
Detect this vulnerability now!
Check your clients' targets (or your own) for this vulnerability and thousands more! Get proof for validation with our ethical hacking toolkit.