VDB-100731 · CVE-2017-8114 · BID 98445

RoundCube Webmail fino 1.0.10/1.1.8/1.2.4 Password Plugin escalazione di privilegi

VocemodificareHistoryDiffjsonxmlCTI

Una vulnerabilità di livello critico è stata rilevata in RoundCube Webmail fino 1.0.10/1.1.8/1.2.4 (Mail Client Software). É interessato una funzione sconosciuta del componente Password Plugin. L'aggiornamento alla versione 1.0.11, 1.1.9 o 1.2.5 elimina questa vulnerabilità. Una possibile soluzione è stata pubblicata 2 settimane dopo la pubblicazione della vulnerabilità.

Campo30/04/2017 10:2724/11/2019 17:48
typeMail Client SoftwareMail Client Software
vendorRoundCubeRoundCube
nameWebmailWebmail
version<=1.0.10/1.1.8/1.2.4<=1.0.10/1.1.8/1.2.4
componentPassword PluginPassword Plugin
cwe264 (escalazione di privilegi)264 (escalazione di privilegi)
risk22
cvss2_vuldb_basescore6.06.0
cvss2_vuldb_tempscore4.74.7
cvss2_vuldb_avNN
cvss2_vuldb_acMM
cvss2_vuldb_auSS
cvss2_vuldb_ciPP
cvss2_vuldb_iiPP
cvss2_vuldb_aiPP
cvss2_nvd_avNN
cvss2_nvd_acLL
cvss2_nvd_auSS
cvss2_nvd_ciPP
cvss2_nvd_iiPP
cvss2_nvd_aiPP
cvss3_meta_basescore7.57.5
cvss3_meta_tempscore6.66.6
cvss3_vuldb_basescore6.36.3
cvss3_vuldb_tempscore5.65.6
cvss3_vuldb_avNN
cvss3_vuldb_acLL
cvss3_vuldb_prLL
cvss3_vuldb_uiNN
cvss3_vuldb_sUU
cvss3_vuldb_cLL
cvss3_vuldb_iLL
cvss3_vuldb_aLL
cvss3_nvd_avNN
cvss3_nvd_acLL
cvss3_nvd_prLL
cvss3_nvd_uiNN
cvss3_nvd_sUU
cvss3_nvd_cHH
cvss3_nvd_iHH
cvss3_nvd_aHH
titlewordPasswordPassword
date1493424000 (29/04/2017)1493424000 (29/04/2017)
locationGitHub RepositoryGitHub Repository
urlhttps://github.com/ilsani/rd/tree/master/security-advisories/web/roundcube/cve-2017-8114https://github.com/ilsani/rd/tree/master/security-advisories/web/roundcube/cve-2017-8114
price_0day$0-$5k$0-$5k
nameUpgradeUpgrade
upgrade_version1.0.11/1.1.9/1.2.51.0.11/1.1.9/1.2.5
cveCVE-2017-8114CVE-2017-8114
cve_assigned14930784001493078400
cve_nvd_published14934240001493424000
cve_nvd_summaryRoundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.
securityfocus9844598445
securityfocus_titleRoundCube Webmail CVE-2017-8114 Multiple Privilege Escalation VulnerabilitiesRoundCube Webmail CVE-2017-8114 Multiple Privilege Escalation Vulnerabilities
nessus_id9999999999
nessus_nameDebian DLA-933-1 : roundcube security updateDebian DLA-933-1 : roundcube security update
nessus_filenamedebian_DLA-933.nasldebian_DLA-933.nasl
nessus_riskMediumMedium
nessus_familyDebian Local Security ChecksDebian Local Security Checks
nessus_typelocallocal
nessus_date1494201600 (08/05/2017)1494201600 (08/05/2017)
openvas_id867773867773
openvas_filenamegb_fedora_2017_ede53aa845_roundcubemail_fc25.naslgb_fedora_2017_ede53aa845_roundcubemail_fc25.nasl
openvas_titleFedora Update for roundcubemail FEDORA-2017-ede53aa845Fedora Update for roundcubemail FEDORA-2017-ede53aa845
openvas_familyFedora Local Security ChecksFedora Local Security Checks
cvss2_vuldb_eNDND
cvss2_vuldb_rlOFOF
cvss2_vuldb_rcUCUC
cvss3_vuldb_eXX
cvss3_vuldb_rlOO
cvss3_vuldb_rcUU
reaction_days88
0day_days55
exposure_days88
cvss3_nvd_basescore8.88.8
discoverydate1492992000
date1494115200 (07/05/2017)
securityfocus_date1493424000 (29/04/2017)
securityfocus_classDesign Error

Want to stay up to date on a daily basis?

Enable the mail alert feature now!