CVE ID

CVE-2020-35730

Vulnerability Name

Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability

• Project: Roundcube
• Product: Roundcube Webmail

Date

• Date Added: 2023-06-22
• Due Date: 2023-07-13

Description

Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php.

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply updates per vendor instructions.

Additional Notes

https://roundcube.net/news/2020/12/27/security-updates-1.4.10-1.3.16-and-1.2.13; https://nvd.nist.gov/vuln/detail/CVE-2020-35730

Related Security News

• APT28 Uses Signal Chat to Deploy BEARDSHELL Malware and COVENANT in Ukraine
• Russian hackers breach orgs to track aid routes to Ukraine
• Russian Hackers Exploit Email and VPN Vulnerabilities to Spy on Ukraine Aid Logistics
• Government webmail hacked via XSS bugs in global spy campaign
• Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail Servers
• Roundcube flaws allow easy email account compromise (CVE-2024-42009, CVE-2024-42008)

More CVEs Info

Common Vulnerabilities & Exposures (CVE) List