A vulnerability, which was classified as critical, has been found in RoundCube up to 1.0.5 (Mail Client Software). Affected by this issue is an unknown functionality of the file program/steps/addressbook/photo.inc of the component Contact Photo Handler. The manipulation of the argument _alt with an unknown input leads to a path traversal vulnerability (Absolute). Using CWE to declare the problem leads to CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Impacted is confidentiality, and integrity. CVE summarizes:

Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling.

The weakness was disclosed 01/29/2016 (Website). The advisory is shared for download at roundcube.net. This vulnerability is handled as CVE-2015-8794 since 01/29/2016. The attack may be launched remotely. The successful exploitation needs a simple authentication. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1006.

Upgrading to version 1.0.6 eliminates this vulnerability.

The entry VDB-80731 is pretty similar.

Productinfo

Type

• Mail Client Software

Name

• RoundCube

Version

• 1.0.0
• 1.0.1
• 1.0.2
• 1.0.3
• 1.0.4
• 1.0.5

License

• free

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion