CVE-2020-35730

MEDIUM KEV

Roundcube Webmail <1.2.13, 1.3.x<1.3.16, 1.4.x<1.4.10 XSS via linkref_addindex

Title source: llm

Exploitation Summary

CVE-2020-35730 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 22, 2023. EIP tracks 1 public exploit from researchers including skyllpro.

AI-analyzed exploit summary This PoC demonstrates a chained exploit combining XSS and SQLi in Roundcube Webmail to exfiltrate session data. The Python script sends a malicious email with an XSS payload that triggers a SQL injection to extract session variables.

Description

An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.

Exploits (1)

nomisec WORKING POC

by skyllpro · client-side

https://github.com/skyllpro/CVE-2021-44026-PoC

View Code ZIP pw:eip

This PoC demonstrates a chained exploit combining XSS and SQLi in Roundcube Webmail to exfiltrate session data. The Python script sends a malicious email with an XSS payload that triggers a SQL injection to extract session variables.

Classification

Working Poc 95%

Attack Type

Xss, Sqli, Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Roundcube Webmail (version not specified)

Auth required

Prerequisites: Valid SMTP credentials for sending email · Target must open the malicious email in Roundcube Webmail · Attacker-controlled C2 server

MITRE ATT&CK