CVE-2017-16651 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Arbitrary filesystem access
Description	Roundcube Webmail 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-506	roundcubemail	1.3.2-1	1.3.3-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
21 Nov 2017	ASA-201711-27	AVG-506	roundcubemail	High	arbitrary filesystem access

References
https://github.com/roundcube/roundcubemail/commit/c90ad5a97784fb32683b8e3c21d6c95baab6d806 https://github.com/roundcube/roundcubemail/issues/6026 https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10

References

https://github.com/roundcube/roundcubemail/commit/c90ad5a97784fb32683b8e3c21d6c95baab6d806
https://github.com/roundcube/roundcubemail/issues/6026
https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10