VDB
CVE-2017-16651
CVE-2017-16651
PUBLISHED
KEV
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
EPSS 35.94% · 97.2th percentile
Risk Scores
EPSS Score
35.94%
97.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:16.04:LTS | roundcube | 0, 1.1.2+dfsg.1-5, 1.1.3+dfsg.1-1 |
Exploit Intelligence
- Python implementation of Roundcube LFI (CVE-2017-16651) (github-poc-repo)
- Python implementation of Roundcube LFI (CVE-2017-16651) (github-poc-repo)
- Python implementation of Roundcube LFI (CVE-2017-16651) (github-poc-repo)
- Python implementation of Roundcube LFI (CVE-2017-16651) (github-poc-repo)
- Python implementation of Roundcube LFI (CVE-2017-16651) (github-poc-repo)
- http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html (nist-nvd)
- Python implementation of Roundcube LFI (CVE-2017-16651) (github-poc)
- Python implementation of Roundcube LFI (CVE-2017-16651) (github-poc)
- Python implementation of Roundcube LFI (CVE-2017-16651) (github-poc)
- Python implementation of Roundcube LFI (CVE-2017-16651) (github-poc)
…and 22 more exploits
Timeline
- Nov 9, 2017 CVE Published
- Feb 1, 2021 PoC Published
- Apr 14, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Nov 3, 2021 CISA KEV Added
- Dec 27, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- May 13, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2017-16651 third-party-advisory
- https://github.com/roundcube/roundcubemail/issues/6026 third-party-advisory
- https://github.com/roundcube/roundcubemail/releases/tag/1.1.10 third-party-advisory
- https://github.com/roundcube/roundcubemail/releases/tag/1.2.7 third-party-advisory
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.3 third-party-advisory
- https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2017-16651 third-party-advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog third-party-advisory
- https://ubuntu.com/security/notices/USN-7200-1 vendor-advisory