[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML

CVE-2017-16651

Date: (C)2017-11-10   (M)2017-11-09 


Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.

CVSS Score: 6.8Access Vector:
Exploit Score: Access Complexity:
Impact Score: Authentication:
 Confidentiality:
 Integrity:
 Availability:





Reference:
https://github.com/roundcube/roundcubemail/issues/6026
https://github.com/roundcube/roundcubemail/releases/tag/1.1.10
https://github.com/roundcube/roundcubemail/releases/tag/1.2.7
https://github.com/roundcube/roundcubemail/releases/tag/1.3.3
https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10

© 2013 SecPod Technologies