QwikSec

Security Database

CVE

CWE

Training

CVE-2013-1904

Published: Feb 8, 2014

Modified: Aug 6, 2024

PUBLISHED

Description

Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setting in a save-perf action to index.php, as exploited in the wild in March 2013.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://habrahabr.ru/post/174423/

x_refsource_MISC

http://sourceforge.net/p/roundcubemail/news/2013/03/security-updates-086-and-073/

x_refsource_CONFIRM

[dev] 20130327 [RCD] zero day vulnerability (tested on v8.0 to 9.0)

mailing-list

x_refsource_MLIST

openSUSE-SU-2013:0671

vendor-advisory

x_refsource_SUSE

[oss-security] 20130328 Re: CVE Request -- roundcubemail: Local file inclusion via web UI modification of certain config options

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.