CVE-2020-35730 - Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability

Vulnerability Name

Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability

Description

Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php.

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply updates per vendor instructions.

Additional Notes

https://roundcube.net/news/2020/12/27/security-updates-1.4.10-1.3.16-and-1.2.13

https://nvd.nist.gov/vuln/detail/CVE-2020-35730

Related News Articles

Russian hackers breach orgs to track aid routes to UkraineMay 22, 2025

Russian Hackers Exploit Email and VPN Vulnerabilities to Spy on Ukraine Aid LogisticsMay 22, 2025

Government webmail hacked via XSS bugs in global spy campaignMay 16, 2025

Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail ServersMay 15, 2025

Roundcube flaws allow easy email account compromise (CVE-2024-42009, CVE-2024-42008)August 7, 2024