Description
program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.
References (6)
Core 6
Core References
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/07/07/2
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/roundcube/roundcubemail/commit/e84fafcec22e7b460db03248dc23ed6b053b15c9
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/roundcube/roundcubemail/commit/6ccd4c54bcc4cb77365defabe8bbe7d10b2620d4
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/roundcube/roundcubemail/issues/4817
Patch, Vendor Advisory x_refsource_confirm
https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/07/07/3
Scores
CVSS v3
6.5
EPSS
0.0327
EPSS Percentile
86.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (3)
roundcube/roundcube_webmail
1.1.1
roundcube/roundcube_webmail
< 1.0.5
roundcube/webmail
1.1 (3 CPE variants)
Published
May 23, 2017
Tracked Since
Feb 18, 2026