{"id":"CVE-2023-43770","details":"Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.","aliases":["BIT-roundcube-2023-43770"],"modified":"2026-04-10T05:03:57.563316Z","published":"2023-09-22T06:15:10.090Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-43770"},{"type":"ADVISORY","url":"https://roundcube.net/news/2023/09/15/security-update-1.6.3-released"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/e92ec206a886461245e1672d8530cc93c618a49b"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00024.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/roundcube/roundcubemail","events":[{"introduced":"0"},{"fixed":"69be0b7b8133c51bd09c5ede4bbff26d68495394"},{"introduced":"f1d376ba278aa4d9c739a0f3b3961df26cda3c07"},{"fixed":"fe42e143cac01f0aabbbe5be7f1ee29236d3594b"},{"introduced":"993b888afe29c383bf45c84f17090f4db96367ba"},{"fixed":"7b9a8020ff3cfe929248c572c1062d7c46d80c34"},{"fixed":"e92ec206a886461245e1672d8530cc93c618a49b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.4.14"},{"introduced":"1.5.0"},{"fixed":"1.5.4"},{"introduced":"1.6.0"},{"fixed":"1.6.3"}]}}],"versions":["1.1-beta","1.1-rc","1.1.0","1.2-beta","1.2-rc","1.3-beta","1.4-beta","1.4-rc1","1.4-rc2","1.4.0","1.4.1","1.4.10","1.4.11","1.4.12","1.4.13","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.4.8","1.4.9","1.5.0","1.5.1","1.5.2","1.5.3","1.6.0","1.6.1","1.6.2","v0.1-beta2"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-43770.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}