| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.3 | $0-$5k | 0.00 |
Summary
A vulnerability classified as problematic has been found in Roundcube Webmail 0.1/0.1.1/0.2/0.2.1/0.2.2. This impacts an unknown function. This manipulation causes cross-site request forgery. This vulnerability is tracked as CVE-2009-4077. The attack is possible to be carried out remotely. No exploit exists.
Details
A vulnerability has been found in Roundcube Webmail 0.1/0.1.1/0.2/0.2.1/0.2.2 (Mail Client Software) and classified as critical. Affected by this vulnerability is some unknown processing. The manipulation with an unknown input leads to a cross-site request forgery vulnerability. The CWE definition for the vulnerability is CWE-352. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that send arbitrary emails via unspecified vectors, a different vulnerability than CVE-2009-4076.
The weakness was disclosed 11/04/2009 by Gaku Mochizuki with Mitsui Bussan Secure Directions, Inc. (Website). The advisory is shared at trac.roundcube.net. This vulnerability is known as CVE-2009-4077. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available.
The vulnerability scanner Nessus provides a plugin with the ID 42966 (Fedora 10 : roundcubemail-0.2.2-4.fc10 (2009-12481)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Fedora Local Security Checks.
A possible mitigation has been published even before and not after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (54139), Tenable (42966), SecurityFocus (BID 36920†), OSVDB (59661†) and Secunia (SA37235†). The entry VDB-50916 is pretty similar. If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.3VulDB Meta Temp Score: 6.3
VulDB Base Score: 6.3
VulDB Temp Score: 6.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Cross-site request forgeryCWE: CWE-352 / CWE-862 / CWE-863
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 42966
Nessus Name: Fedora 10 : roundcubemail-0.2.2-4.fc10 (2009-12481)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 66434
OpenVAS Name: Fedora Core 10 FEDORA-2009-12481 (roundcubemail)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔍
Timeline
09/04/2009 🔍11/04/2009 🔍
11/04/2009 🔍
11/04/2009 🔍
11/04/2009 🔍
11/25/2009 🔍
11/25/2009 🔍
12/07/2009 🔍
03/18/2015 🔍
02/03/2025 🔍
Sources
Advisory: trac.roundcube.netResearcher: Gaku Mochizuki
Organization: Mitsui Bussan Secure Directions, Inc.
Status: Not defined
CVE: CVE-2009-4077 (🔍)
GCVE (CVE): GCVE-0-2009-4077
GCVE (VulDB): GCVE-100-50917
X-Force: 54139
SecurityFocus: 36920 - Roundcube Webmail Multiple Cross Site Request Forgery Vulnerabilities
Secunia: 37235
OSVDB: 59661 - RoundCube Webmail User Information Modification CSRF
Vulnerability Center: 24283 - Roundcube Webmail \x3C\x3D 0.2.2 Remote Cross-Site Request Forgery (CSRF) Vulnerability, Medium
See also: 🔍
Entry
Created: 03/18/2015 15:15Updated: 02/03/2025 07:01
Changes: 03/18/2015 15:15 (60), 02/17/2017 12:31 (11), 08/28/2021 07:39 (3), 08/28/2021 07:44 (1), 02/03/2025 07:01 (15)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.