When you purchase through links on our site, we may earn an affiliate commission.Heres how it works.
The bug, tracked as CVE-2023-43770, is abused via a custom-built plain/text messages and links.
The flaw affects Roundcube email servers versions between 1.4.14 and 1.5.4 and versions between 1.6.0 and 1.6.3.
The patch was released roughly half a year ago.
ABleepingComputerreport says that there are currently more than 130,000 Roundcube servers on the internet right now.
Theres no telling how many of these are vulnerable to the cross-site scripting vulnerability.
This one was abused, as a zero-day, by a Russian threat actor known as Winter Vivern.
Roundcube is a web-based IMAPemail client, whose most popular feature is the pervasive use of Ajax technology.
It was initially released in 2008, 16 years ago.
