CISA Known Exploited Vulnerability (KEV)
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
February 12, 2024
March 4, 2024
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
References
Weakness Enumeration
| CWE-ID | CWE Name |
|---|---|
|
CWE-79 |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |