VDB
CVE-2015-8770
CVE-2015-8770
REJECTED
Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php.
EPSS 28.30% · 96.6th percentile
Risk Scores
EPSS Score
28.30%
96.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | roundcube | 0, 1.1.1+dfsg.1-2, 1.1.2+dfsg.1-5 |
| Ubuntu:18.04:LTS | roundcube | 1.3.0+dfsg.1-1, *, 1.3.1+dfsg.1-1 |
Exploit Intelligence
- http://packetstormsecurity.com/files/135274/Roundcube-1.1.3-Path-Traversal.html (vulncheck-nvd)
- https://www.htbridge.com/advisory/HTB23283 (vulncheck-nvd)
- 39245 (cve.org)
- Roundcube 1.1.3 - Directory Traversal (0day-today)
- Roundcube 1.1.3 - Directory Traversal (0day-today)
- roundcube.yml (github-poc)
- roundcube.yml (github-poc)
- roundcube.yml (github-poc)
- roundcube.yml (github-poc)
- roundcube.yml (github-poc)
Timeline
- Jan 15, 2016 PoC Published
- Jan 29, 2016 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 17, 2025 EPSS Score
- Mar 19, 2025 EPSS Score
- Mar 21, 2025 EPSS Score
- Mar 22, 2025 EPSS Score
- Mar 30, 2025 EPSS Score
- Apr 12, 2025 EPSS Score
- Apr 13, 2025 EPSS Score
- Apr 16, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2015-8770 third-party-advisory
- https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/ third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2015-8770 third-party-advisory