CVE-2020-35730 Overview
CVE-2020-35730 is a Cross-Site Scripting (XSS) vulnerability discovered in Roundcube Webmail, a popular open-source webmail solution. The vulnerability exists in versions before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. An attacker can exploit this flaw by sending a specially crafted plain text email message containing JavaScript within a link reference element. The malicious content is mishandled by the linkref_addindex function in rcube_string_replacer.php, allowing arbitrary JavaScript execution in the context of a victim's browser session.
Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Successful exploitation allows attackers to execute arbitrary JavaScript in victims' browsers, potentially leading to session hijacking, credential theft, or further malware delivery.
Affected Products
- Roundcube Webmail versions before 1.2.13
- Roundcube Webmail 1.3.x versions before 1.3.16
- Roundcube Webmail 1.4.x versions before 1.4.10
- Fedora Project Fedora 32 and 33
- Debian Linux 9.0
Discovery Timeline
- December 28, 2020 - CVE-2020-35730 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2020-35730
Vulnerability Analysis
This Cross-Site Scripting vulnerability stems from improper input sanitization in Roundcube Webmail's email rendering functionality. When processing plain text emails, the application fails to properly sanitize link reference elements before rendering them in the user's browser. The vulnerable code resides in rcube_string_replacer.php, specifically within the linkref_addindex function which handles the conversion of plain text link references into clickable HTML elements.
The flaw allows attackers to craft emails that bypass the application's existing XSS protections. When a victim views the malicious email through their Roundcube webmail interface, the embedded JavaScript executes within the context of their authenticated session. This can lead to theft of session cookies, access to sensitive email content, or the ability to perform actions on behalf of the compromised user.
Root Cause
The root cause of CVE-2020-35730 lies in insufficient input validation within the linkref_addindex function in rcube_string_replacer.php. The function processes link reference elements from plain text emails but fails to properly escape or sanitize JavaScript code embedded within these elements. This allows malicious payloads to pass through the sanitization layer and render as executable code in the browser.
Attack Vector
The attack is executed remotely over the network and requires user interaction. An attacker sends a malicious plain text email to a target user of a vulnerable Roundcube Webmail installation. The email contains JavaScript embedded within a link reference element structure. When the victim opens and views the email through the Roundcube web interface, the malicious JavaScript executes in their browser context. The attacker does not require any prior authentication or privileges on the target system.
The vulnerability exploits the way Roundcube processes link references in plain text emails. The attacker crafts an email where the link reference structure contains JavaScript that is not properly sanitized by the linkref_addindex function, resulting in the script being embedded directly into the HTML rendered to the user.
Detection Methods for CVE-2020-35730
Indicators of Compromise
- Suspicious plain text emails containing unusual link reference syntax or JavaScript patterns
- Web server logs showing requests with encoded JavaScript payloads in email viewing endpoints
- Unexpected session activity or unauthorized actions performed from legitimate user accounts
- Browser console errors or unusual script execution when viewing emails
Detection Strategies
- Monitor email content for suspicious link reference patterns containing script tags or JavaScript event handlers
- Implement web application firewall (WAF) rules to detect and block XSS payloads in email content
- Enable logging of all email rendering activities and analyze for anomalous JavaScript execution attempts
- Deploy endpoint detection solutions to identify browser-based script execution anomalies
Monitoring Recommendations
- Enable detailed access logging on Roundcube Webmail servers to capture all email viewing events
- Configure alerting for any detected XSS patterns in inbound email traffic
- Monitor user session behavior for signs of session hijacking following email access
- Review Roundcube application logs for errors related to rcube_string_replacer.php
How to Mitigate CVE-2020-35730
Immediate Actions Required
- Upgrade Roundcube Webmail to version 1.2.13, 1.3.16, or 1.4.10 or later immediately
- Review server logs for evidence of exploitation attempts targeting this vulnerability
- Force session invalidation and password resets for any potentially compromised accounts
- Consider temporarily disabling external email access until patching is complete
Patch Information
Roundcube has released patched versions addressing this vulnerability. Organizations should upgrade to the following minimum versions:
- Version 1.2.13 for the 1.2.x branch - see Roundcube Release v1.2.13
- Version 1.3.16 for the 1.3.x branch - see Roundcube Release v1.3.16
- Version 1.4.10 for the 1.4.x branch - see Roundcube Release v1.4.10
The latest versions are available from the Roundcube Download Page. For Fedora users, updated packages are available through the standard package manager as noted in the Fedora Package Announcement. Debian users should refer to the Debian Bug Report #978491 for distribution-specific updates.
Workarounds
- Implement a Web Application Firewall (WAF) with XSS protection rules to filter malicious email content
- Configure Content Security Policy (CSP) headers to restrict JavaScript execution sources
- Consider implementing email content filtering at the mail server level to strip suspicious link references
- Enable HTTP-only and Secure flags on session cookies to reduce the impact of potential session theft
# Example Apache CSP configuration to mitigate XSS impact
# Add to Roundcube virtual host configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;"
# Enable HTTP-only cookies in Roundcube config.inc.php
# $config['session_httponly'] = true;
# $config['session_secure'] = true;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
