Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability

Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability​

Roundcube releases a security update to mitigate Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability (CVE-2023-43770) in Roundcube versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3.



Email communication plays a crucial role in today’s digital world, connecting individuals and organizations worldwide. However, with the increasing reliance on email, security vulnerabilities pose significant threats. One such recent vulnerability, CVE-2023-43770, exposed Roundcube Webmail to Persistent Cross-Site Scripting (XSS) attacks. In this blog post, we’ll explore the details of the vulnerability, its potential risks, and how Roundcube swiftly addressed the issue in its latest release, version 1.6.3.


Understanding CVE-2023-43770:

The vulnerability, identified as CVE-2023-43770, affected Roundcube versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. The security flaw allowed attackers to exploit XSS via text/plain email messages containing crafted links. The root cause of the vulnerability was traced back to the behavior of the program/lib/Roundcube/rcube_string_replacer.php file.

XSS vulnerabilities are particularly concerning as they provide attackers with the ability to inject malicious scripts into web pages viewed by other users. In the context of email, this could lead to unauthorized access, data theft, or the spreading of malware among users.


Roundcube’s Swift Response:

Roundcube Webmail promptly addressed the vulnerability with the release of version 1.6.3. This security update includes a fix specifically for the reported XSS vulnerability, ensuring a safer email communication environment for users. The Roundcube team acknowledged the report by Niraj Shivtarkar and prioritized the development of a solution.

Key Changes in Roundcube Webmail 1.6.3:


1. XSS Vulnerability Fix:

– The primary focus of version 1.6.3 was to eliminate the XSS vulnerability related to the handling of linkrefs in plain text email messages. This fix ensures that crafted links do not pose a threat to the security and integrity of Roundcube Webmail.


2. Other Fixes and Improvements:

– The release also addresses several other bugs and regressions, showcasing Roundcube’s commitment to providing a stable and reliable email platform. Notable changes include script removal issues, jQuery-UI updates, PHP8 deprecation warnings, and more.

3. Enhanced Compatibility:

– The update includes improvements to ensure compatibility with various configurations, such as preventing issues with LDAP addressbook ‘filter’ options being ignored and addressing problems with multi-folder search results sorting.

4. User-Friendly Installation/Update:

– Users are encouraged to update their installations to version 1.6.3, and the release notes provide essential information on backing up data before initiating the update. The installation/update scripts have been refined to prevent the removal of essential options from the config file.



The following additional changes were made in Roundcube Webmail 1.6.3:

– Fix bug where scripts were removing some essential options from the config file (#9051)
– Update jQuery-UI to version 1.13.2
– Fix regression that broke use_secure_urls feature
– Fix potential PHP fatal error when opening a message with message/rfc822 part

– Fix bug where a duplicate <title> tag in HTML email could cause some parts being cut off

– Fix bug where a list of folders could have been sorted incorrectly

– Fix regression where LDAP addressbook ‘filter’ option was ignored

– Fix wrong order of a multi-folder search result when sorting by size

– Fix so install/update scripts do not require PEAR

– Fix regression where some mail parts could have been decoded incorrectly, or not at all

– Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to non-binary FETCH

– Fix PHP8 deprecation warning in the reconnect plugin

– Fix “Show source” on mobile with x_frame_options = deny

– Fix various PHP warnings

– Fix deprecated use of ldap_connect() in password’s ldap_simple driver

– Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages




– roundcube-framework-1.6.3.tar.gz

– roundcube-framework-1.6.3.tar.gz.asc

– roundcubemail-1.6.3-complete.tar.gz

– roundcubemail-1.6.3-complete.tar.gz.asc

– roundcubemail-1.6.3.tar.gz

– roundcubemail-1.6.3.tar.gz.asc

– Source code (ZIP)

– Source code (tar.gz)


How to Secure Your Roundcube Installation:


If you are running Roundcube Webmail, it is crucial to take immediate action to secure your installation:



  1. Update to Version 1.6.3:

   – Visit the official Roundcube Webmail GitHub releases page and download the appropriate files for your installation.


  1. Backup Your Data:

   – Before proceeding with the update, ensure that you have a recent backup of your Roundcube data to prevent any potential data loss during the update process.


  1. Follow Installation/Update Guidelines:

   – Refer to the updated installation and update scripts provided with version 1.6.3 to ensure a smooth transition without compromising essential configuration options.




The timely response of the Roundcube team to CVE-2023-43770, coupled with the comprehensive changelog and download links provided, demonstrates their commitment to user security and the integrity of email communication. Users are strongly encouraged to update their installations to version 1.6.3 and follow the recommended security measures. As we navigate the digital landscape, staying vigilant and proactive in addressing vulnerabilities is crucial to maintaining a secure and reliable email communication environment.


Leave a Comment

Your email address will not be published. Required fields are marked *

Exit mobile version