Fixed Intel

CISA Known Exploited Vulnerability

This vulnerability is actively exploited in the wild and listed in the CISA Known Exploited Vulnerabilities catalog.

Remediation Deadline: Jul 13, 2023

CVE-2020-35730

High
EPSS 64.8%CISA KEV
Roundcube/Roundcube Webmail

Description

Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php.

EPSS — Exploit Probability

64.8%

Higher than 98.4% of all CVEs

Required Action

https://roundcube.net/news/2020/12/27/security-updates-1.4.10-1.3.16-and-1.2.13; https://nvd.nist.gov/vuln/detail/CVE-2020-35730

Risk Assessment

HIGH
In CISA KEV
High EPSS

Details

Severity
High
EPSS
64.8%
CISA KEV
Yes
Ransomware
Unknown
Articles
0

Timeline

Published

Jun 22, 2023

Added to KEV

Jun 22, 2023

Remediation Due

Jul 13, 2023

Affected Product

Roundcube

Roundcube Webmail

View all Roundcube CVEs

External Links

NVD (NIST)CVE DetailsMITRE CVE