CVE-2023-43770

What is Roundcube Webmail?

Roundcube is a widely deployed open-source webmail client used by government agencies, academic institutions, ISPs, and organizations globally as a browser-based email interface. Persistent XSS vulnerabilities in Roundcube are particularly high-impact: a specially crafted email causes arbitrary JavaScript to execute in the victim's browser session when the email is viewed, without requiring any interaction beyond reading the message. Roundcube is a repeated target for state-sponsored threat actors seeking to compromise government email without requiring endpoint access — targeting the webmail interface directly exploits the intersection of email delivery and browser-based application security.

Overview

CVE-2023-43770 is a persistent (stored) cross-site scripting vulnerability (CWE-79) in Roundcube Webmail. An unauthenticated attacker can send a specially crafted email containing malicious link references in a plain text message body that, when rendered by Roundcube, causes JavaScript to execute in the victim's browser session. This is distinct from CVE-2023-5631 (which affected HTML email body rendering in version 1.6.4) — CVE-2023-43770 involves the handling of link references in text/plain email content. Roundcube released the fix in version 1.6.3 on September 15, 2023. CISA added CVE-2023-43770 to the KEV catalog on February 12, 2024 — five months after patching — confirming active exploitation was detected.

Affected Versions

Technical Details

Persistent XSS (CWE-79) in plain text email rendering occurs when Roundcube's plain text to HTML conversion — used to add clickable links to URLs in text/plain messages — fails to properly sanitize certain crafted link reference constructs before rendering them in the browser. The text/plain rendering path is a separate code path from HTML email rendering, and its sanitization may have weaker protections.

The attack flow:

1. Craft a malicious plain text email — compose an email with Content-Type: text/plain containing a crafted link reference (e.g., an unusual URI scheme, an anchor-like construct, or a specially encoded URL) that Roundcube's plain text renderer converts to an HTML element containing a JavaScript payload
2. Deliver to a Roundcube user — send the email to the target; no user action beyond viewing the email in Roundcube is required
3. XSS executes in the victim's session — when Roundcube renders the plain text body with the crafted link, the JavaScript executes in the origin of the Roundcube application
4. Exfiltrate session data — the attacker-controlled JavaScript can read the victim's emails, contacts, session tokens, or other data accessible within the Roundcube session, and exfiltrate it to an attacker-controlled server

The S:C (scope changed) metric reflects that the XSS executes in the Roundcube web application context rather than being constrained to the email content area alone.

Discovery

CVE-2023-43770 was patched in Roundcube 1.6.3 on September 15, 2023. The nearly five-month gap to CISA KEV addition (February 12, 2024) indicates that exploitation was not immediately detected — organizations running unpatched Roundcube installations were targeted without immediate public disclosure of active exploitation. Roundcube webmail vulnerabilities are a consistent target for APT groups targeting European government and NGO email infrastructure.

Exploitation Context

Roundcube webmail is used by numerous European government agencies, Eastern European organizations, and universities as the primary email interface. This makes it a high-value target for intelligence-gathering operations — compromise of a government official's Roundcube session provides email archive access, contact lists, and active session tokens without requiring endpoint compromise. The February 2024 KEV addition came shortly after research documenting ongoing APT exploitation of Roundcube vulnerabilities, consistent with the pattern of Winter Vivern and other APT groups repeatedly exploiting Roundcube XSS vulnerabilities as a low-footprint intelligence collection technique.

Remediation

1. Upgrade Roundcube to 1.6.3 or later — the security update was released September 15, 2023; apply immediately if not already done.
2. Apply subsequent Roundcube security updates — CVE-2023-5631 (fixed in 1.6.4, released October 2023) is a separate XSS that also requires patching; ensure both 1.6.3 and 1.6.4 updates are applied.
3. Implement Content Security Policy (CSP) headers on the Roundcube application to restrict JavaScript execution origins and reduce the impact of any XSS vulnerabilities.
4. Review server-side email logs for unusual inbound emails with text/plain content containing unusual link constructs that may have been delivered to users before patching.
5. Monitor for unusual session activity — outbound HTTP requests from users' browser sessions to unexpected domains during email viewing may indicate active XSS exploitation.