Description
iRedMail version prior to commit f04b8ef contains a Insecure Permissions vulnerability in Roundcube Webmail that can result in Exfiltrate a user's password protected secret GPG key file and other important configuration files.. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in Beta: 0.9.8-BETA1, Stable: 0.9.7.
References (2)
Core 2
Core References
Exploit, Mitigation, Third Party Advisory x_refsource_misc
http://legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt
Exploit, Third Party Advisory x_refsource_misc
https://bitbucket.org/zhb/iredmail/issues/130/multiple-security-issues-with-default
Scores
CVSS v3
7.5
EPSS
0.0028
EPSS Percentile
51.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-732
Status
published
Products (1)
iredmail/iredmail
< 0.9.6
Published
Mar 13, 2018
Tracked Since
Feb 18, 2026