Information disclosure in Roundcube

Published: 2017-11-10 14:12:39 | Updated: 2017-11-10 15:01:04
Severity Medium
Patch available YES
Number of vulnerabilities 1
CVSSv2 5.9 (AV:N/AC:L/Au:S/C:C/I:N/A:N/E:H/RL:OF/RC:C)
CVSSv3 6.1 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C]
CVE ID CVE-2017-16651
CWE ID CWE-200
Exploitation vector Network
Public exploit This vulnerability is being exploited in the wild.
Vulnerable software Roundcube
Vulnerable software versions Roundcube 1.1.5
Roundcube 1.1.4
Roundcube 1.1.3
Show more
Vendor URL Roundcube
Advisory type Public

Security Advisory

1) Information disclosure

Description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to insufficient validation of file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests. A remote attacker can modify the login form and submit it with valid credentials (username/password) of an email account, send a specially crafted HTTP request and gain unauthorized access to arbitrary files on the host's filesystem, including configuration files of Roundcube.

Note: the vulnerability is being actively exploited.

Remediation

Install update from vendor's website (1.1.10, 1.2.7, 1.3.3).

External links

https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10

Back to List