CVE-2015-8770

Roundcube Webmail 1.1.3 - Directory Traversal

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php.

Vulnerabilidad de salto de directorio en la función set_skin en program/include/rcmail_output_html.php en Roundcube en versiones anteriores a 1.0.8 y 1.1.x en versiones anteriores a 1.1.4 permite a usuarios remotos autenticados con ciertos permisos leer archivos arbitrarios o posiblemente ejecutar código arbitrario a través de un .. (punto punto) en el parámetro _skin en index.php.

Roundcube version 1.1.3 suffers from a path traversal vulnerability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-01-13 CVE Reserved
2016-01-15 CVE Published
2023-03-07 EPSS Updated
2024-08-06 CVE Updated
2024-08-06 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (12)

URL	Tag	Source
http://trac.roundcube.net/changeset/10e5192a2b/github	X_refsource_confirm
http://trac.roundcube.net/ticket/1490620	X_refsource_confirm
http://www.securityfocus.com/archive/1/537304/100/0/threaded	Mailing List

URL	Date	SRC
https://www.exploit-db.com/exploits/39245	2024-08-06
http://packetstormsecurity.com/files/135274/Roundcube-1.1.3-Path-Traversal.html	2024-08-06
https://www.htbridge.com/advisory/HTB23283	2024-08-06

URL	Date	SRC
https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released	2018-10-09

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00028.html	2018-10-09
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00029.html	2018-10-09
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00030.html	2018-10-09
http://www.debian.org/security/2016/dsa-3541	2018-10-09
https://security.gentoo.org/glsa/201603-03	2018-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Roundcube Search vendor "Roundcube"		Roundcube Webmail Search vendor "Roundcube" for product "Roundcube Webmail"				<= 1.0.7 Search vendor "Roundcube" for product "Roundcube Webmail" and version " <= 1.0.7"		-		Affected
Roundcube Search vendor "Roundcube"		Roundcube Webmail Search vendor "Roundcube" for product "Roundcube Webmail"				1.1.0 Search vendor "Roundcube" for product "Roundcube Webmail" and version "1.1.0"		-		Affected
Roundcube Search vendor "Roundcube"		Roundcube Webmail Search vendor "Roundcube" for product "Roundcube Webmail"				1.1.1 Search vendor "Roundcube" for product "Roundcube Webmail" and version "1.1.1"		-		Affected
Roundcube Search vendor "Roundcube"		Roundcube Webmail Search vendor "Roundcube" for product "Roundcube Webmail"				1.1.2 Search vendor "Roundcube" for product "Roundcube Webmail" and version "1.1.2"		-		Affected
Roundcube Search vendor "Roundcube"		Roundcube Webmail Search vendor "Roundcube" for product "Roundcube Webmail"				1.1.3 Search vendor "Roundcube" for product "Roundcube Webmail" and version "1.1.3"		-		Affected