Cross-Site Scripting Vulnerability in Roundcube Webmail
CVE-2020-35730

6.1MEDIUM

Key Information:

Vendor: Roundcube
Status: Webmail
Vendor: CVE Published:; 28 December 2020

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 58%🦅 CISA Reported

What is CVE-2020-35730?

A Cross-Site Scripting (XSS) vulnerability exists in Roundcube Webmail prior to version 1.2.13, 1.3.16, and 1.4.10. This flaw allows attackers to exploit the application by sending a specially crafted plain text email containing JavaScript code. The vulnerability arises from improper handling of link references in the rcube_string_replacer.php file, which can lead to arbitrary script execution in the context of the user's session. It is crucial for users to upgrade to a secure version to mitigate potential risks.

CISA has reported CVE-2020-35730

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2020-35730 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply updates per vendor instructions.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-44026-PoC
Created by skyllpro