roundcubemail

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description A PHP web-based mail client
Version 1.4.6-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-670 1.3.5-1 1.3.6-1 High Fixed
AVG-506 1.3.2-1 1.3.3-1 High Fixed
AVG-199 1.2.3-1 1.2.4-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2018-9846 AVG-670 High Yes Arbitrary command execution
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid"...
CVE-2017-16651 AVG-506 High Yes Arbitrary filesystem access
Roundcube Webmail 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in...
CVE-2017-6820 AVG-199 Medium Yes Cross-site scripting
It has been discovered that rcube_utils.php in Roundcube before 1.1.8 and before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted...

Advisories

Date Advisory Group Severity Description
19 Apr 2018 ASA-201804-8 AVG-670 High arbitrary command execution
21 Nov 2017 ASA-201711-27 AVG-506 High arbitrary filesystem access
14 Mar 2017 ASA-201703-10 AVG-199 Medium cross-site scripting