CVE-2020-35730 — Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability

2023-06-22 • CISA Known Exploited Vulnerability

[event] Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php.

> AFFECTED SOFTWARE

Field	Value
Vendor	Roundcube
Product	Roundcube Webmail
CWE	CWE-79
CVE ID	CVE-2020-35730
Date Added	2023-06-22
Due Date	2023-07-13
Ransomware Campaign	Unknown

> MITIGATION

Apply updates per vendor instructions.

Due Date: 2023-07-13

> REFERENCES

[1] https://roundcube.net/news/2020/12/27/security-updates-1.4.10-1.3.16-and-1.2.13
[2] https://nvd.nist.gov/vuln/detail/CVE-2020-35730