Headline
Ubuntu Security Notice USN-6654-1
Ubuntu Security Notice 6654-1 - It was discovered that Roundcube Webmail incorrectly sanitized characters in the linkrefs text messages. An attacker could possibly use this issue to execute a cross-site scripting attack.
==========================================================================
Ubuntu Security Notice USN-6654-1
February 26, 2024
roundcube vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS (Available with Ubuntu Pro)
- Ubuntu 20.04 LTS (Available with Ubuntu Pro)
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
Roundcube Webmail could allow cross-site scripting (XSS) attacks.
Software Description:
- roundcube: skinnable AJAX based webmail solution for IMAP servers
Details:
It was discovered that Roundcube Webmail incorrectly sanitized characters
in the linkrefs text messages. An attacker could possibly use this issue to
execute a cross-site scripting (XSS) attack. (CVE-2023-43770)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
roundcube 1.6.2+dfsg-1ubuntu0.1
roundcube-core 1.6.2+dfsg-1ubuntu0.1
Ubuntu 22.04 LTS (Available with Ubuntu Pro):
roundcube 1.5.0+dfsg.1-2ubuntu0.1~esm2
roundcube-core 1.5.0+dfsg.1-2ubuntu0.1~esm2
Ubuntu 20.04 LTS (Available with Ubuntu Pro):
roundcube 1.4.3+dfsg.1-1ubuntu0.1~esm3
roundcube-core 1.4.3+dfsg.1-1ubuntu0.1~esm3
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
roundcube 1.3.6+dfsg.1-1ubuntu0.1~esm3
roundcube-core 1.3.6+dfsg.1-1ubuntu0.1~esm3
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
roundcube 1.2~beta+dfsg.1-0ubuntu1+esm3
roundcube-core 1.2~beta+dfsg.1-0ubuntu1+esm3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6654-1
CVE-2023-43770
Package Information:
https://launchpad.net/ubuntu/+source/roundcube/1.6.2+dfsg-1ubuntu0.1
Related news
Russian hackers' adoption of artificial intelligence (AI) in cyber attacks against Ukraine has reached a new level in the first half of 2025 (H1 2025), the country's State Service for Special Communications and Information Protection (SSSCIP) said. "Hackers now employ it not only to generate phishing messages, but some of the malware samples we have analyzed show clear signs of being generated
ESET reports on RoundPress, a cyber espionage campaign by Russia’s Fancy Bear (Sednit) targeting Ukraine-related organizations via webmail…
A vulnerability in Roundcube webmail is being actively exploited and CISA is urging users to install an updated version.
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.