CVE-2015-5382

MEDIUM

Roundcube Webmail <1.0.6, <1.1.2 - Info Disclosure

Title source: llm

Description

program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.

References (6)

[Mailing List, Patch, Third Party Advisory] http://www.openwall.com/lists/oss-security/2015/07/07/2

[Mailing List, Patch, Third Party Advisory] http://www.openwall.com/lists/oss-security/2015/07/07/3

[Issue Tracking, Patch, Third Party Advisory] https://github.com/roundcube/roundcubemail/commit/6ccd4c54bcc4cb77365defabe8bbe7d10b2620d4

[Issue Tracking, Patch, Third Party Advisory] https://github.com/roundcube/roundcubemail/commit/e84fafcec22e7b460db03248dc23ed6b053b15c9

View Patch ZIP pw:eip

[Issue Tracking, Patch, Third Party Advisory] https://github.com/roundcube/roundcubemail/issues/4817

[Patch, Vendor Advisory] https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released

Scores

CVSS v3 6.5

EPSS 0.0104

EPSS Percentile 77.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (6)

roundcube/roundcube_webmail < 1.0.5

roundcube/roundcube_webmail

roundcube/webmail

n/a/n/a

Published May 23, 2017

Tracked Since Feb 18, 2026