CVE-2013-1904
Mandriva Linux Security Advisory 2013-148
Severity Score
7.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setting in a save-perf action to index.php, as exploited in the wild in March 2013.
Vulnerabilidad de recorrido de directorio absoluto en steps/mail/sendmail.inc en Roundcube Webmail anterior a 0.7.3 y 0.8.x anterior a 0.8.6 permite a atacantes remotos leer archivos arbitrarios a través de una ruta completa en el parámetro _value para la configuración generic_message_footer en una acción save-perf hacia index.php, tal y como se explotó activamente en marzo de 2013.
Cross-site scripting vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the signature in an email. A local file inclusion flaw was found in the way RoundCube Webmail, a browser-based multilingual IMAP client, performed validation of the 'generic_message_footer' value provided via web user interface in certain circumstances. A remote attacker could issue a specially-crafted request that, when processed by RoundCube Webmail could allow an attacker to obtain arbitrary file on the system, accessible with the privileges of the user running RoundCube Webmail client. The updated packages have been patched and upgraded to the 0.7.4 version which is not affected by these issues.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2013-02-19 CVE Reserved
- 2013-04-22 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| http://habrahabr.ru/post/174423 | X_refsource_misc | |
| http://www.openwall.com/lists/oss-security/2013/03/28/8 | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://sourceforge.net/p/roundcubemail/news/2013/03/security-updates-086-and-073 | 2014-02-10 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-updates/2013-04/msg00080.html | 2014-02-10 | |
| http://lists.roundcube.net/pipermail/dev/2013-March/022328.html | 2014-02-10 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | <= 0.7.2 Search vendor "Roundcube" for product "Webmail" and version " <= 0.7.2" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.1 Search vendor "Roundcube" for product "Webmail" and version "0.1" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.1 Search vendor "Roundcube" for product "Webmail" and version "0.1" | 20050811 |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.1 Search vendor "Roundcube" for product "Webmail" and version "0.1" | 20050820 |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.1 Search vendor "Roundcube" for product "Webmail" and version "0.1" | 20051007 |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.1 Search vendor "Roundcube" for product "Webmail" and version "0.1" | 20051021 |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.1 Search vendor "Roundcube" for product "Webmail" and version "0.1" | alpha |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.1 Search vendor "Roundcube" for product "Webmail" and version "0.1" | beta |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.1 Search vendor "Roundcube" for product "Webmail" and version "0.1" | beta2 |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.1 Search vendor "Roundcube" for product "Webmail" and version "0.1" | rc1 |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.1 Search vendor "Roundcube" for product "Webmail" and version "0.1" | rc2 |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.1 Search vendor "Roundcube" for product "Webmail" and version "0.1" | stable |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.1.1 Search vendor "Roundcube" for product "Webmail" and version "0.1.1" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.2 Search vendor "Roundcube" for product "Webmail" and version "0.2" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.2 Search vendor "Roundcube" for product "Webmail" and version "0.2" | alpha |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.2 Search vendor "Roundcube" for product "Webmail" and version "0.2" | beta |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.2 Search vendor "Roundcube" for product "Webmail" and version "0.2" | stable |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.2.1 Search vendor "Roundcube" for product "Webmail" and version "0.2.1" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.2.2 Search vendor "Roundcube" for product "Webmail" and version "0.2.2" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.3 Search vendor "Roundcube" for product "Webmail" and version "0.3" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.3 Search vendor "Roundcube" for product "Webmail" and version "0.3" | beta |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.3 Search vendor "Roundcube" for product "Webmail" and version "0.3" | rc1 |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.3 Search vendor "Roundcube" for product "Webmail" and version "0.3" | stable |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.3.1 Search vendor "Roundcube" for product "Webmail" and version "0.3.1" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.4 Search vendor "Roundcube" for product "Webmail" and version "0.4" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.4 Search vendor "Roundcube" for product "Webmail" and version "0.4" | beta |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.4.1 Search vendor "Roundcube" for product "Webmail" and version "0.4.1" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.4.2 Search vendor "Roundcube" for product "Webmail" and version "0.4.2" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.5 Search vendor "Roundcube" for product "Webmail" and version "0.5" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.5 Search vendor "Roundcube" for product "Webmail" and version "0.5" | beta |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.5 Search vendor "Roundcube" for product "Webmail" and version "0.5" | rc |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.5.1 Search vendor "Roundcube" for product "Webmail" and version "0.5.1" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.5.2 Search vendor "Roundcube" for product "Webmail" and version "0.5.2" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.5.3 Search vendor "Roundcube" for product "Webmail" and version "0.5.3" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.5.4 Search vendor "Roundcube" for product "Webmail" and version "0.5.4" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.6 Search vendor "Roundcube" for product "Webmail" and version "0.6" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.7 Search vendor "Roundcube" for product "Webmail" and version "0.7" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.7.1 Search vendor "Roundcube" for product "Webmail" and version "0.7.1" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.8.0 Search vendor "Roundcube" for product "Webmail" and version "0.8.0" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.8.1 Search vendor "Roundcube" for product "Webmail" and version "0.8.1" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.8.2 Search vendor "Roundcube" for product "Webmail" and version "0.8.2" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.8.3 Search vendor "Roundcube" for product "Webmail" and version "0.8.3" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.8.4 Search vendor "Roundcube" for product "Webmail" and version "0.8.4" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | 0.8.5 Search vendor "Roundcube" for product "Webmail" and version "0.8.5" | - |
Affected
| ||||||