VDB
CVE-2013-1904
CVE-2013-1904
PUBLISHED
CVSS 5 MEDIUM
Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setting in a save-perf action to index.php, as exploited in the wild in March 2013.
EPSS 0.34% · 57.0th percentile
Risk Scores
CVSS 2.0
5
EPSS Score
0.34%
57.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | * |
| roundcube | webmail | 0, 0.1, 0.1 |
Timeline
- Feb 8, 2014 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 3, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
- May 25, 2023 EPSS Score
References
- http://habrahabr.ru/post/174423 url
- http://habrahabr.ru/post/174423/ url
- http://sourceforge.net/p/roundcubemail/news/2013/03/security-updates-086-and-073/ url
- [dev] 20130327 [RCD] zero day vulnerability (tested on v8.0 to 9.0) mailing-list
- openSUSE-SU-2013:0671 vendor-advisory
- [oss-security] 20130328 Re: CVE Request -- roundcubemail: Local file inclusion via web UI modification of certain config options mailing-list
- https://nvd.nist.gov/vuln/detail/CVE-2013-1904 advisory
- http://sourceforge.net/p/roundcubemail/news/2013/03/security-updates-086-and-073 url