CVE - CVE-2013-1904

CVE-ID
CVE-2013-1904	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setting in a save-perf action to index.php, as exploited in the wild in March 2013.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:http://sourceforge.net/p/roundcubemail/news/2013/03/security-updates-086-and-073/ MISC:http://habrahabr.ru/post/174423/ MLIST:[dev] 20130327 [RCD] zero day vulnerability (tested on v8.0 to 9.0) URL:http://lists.roundcube.net/pipermail/dev/2013-March/022328.html MLIST:[oss-security] 20130328 Re: CVE Request -- roundcubemail: Local file inclusion via web UI modification of certain config options URL:http://www.openwall.com/lists/oss-security/2013/03/28/8 SUSE:openSUSE-SU-2013:0671 URL:http://lists.opensuse.org/opensuse-updates/2013-04/msg00080.html
Assigning CNA
Red Hat, Inc.
Date Record Created
20130219	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20130219)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)