CVE-2017-8114 — Vulnetix

Try Vulnetix Request Demo

CVE-2017-8114 PUBLISHED

Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

EPSS 0.63% · 70.2th percentile

Risk Scores

EPSS Score

0.63%

70.2th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:16.04:LTS	roundcube	0, 1.1.1+dfsg.1-2, 1.1.2+dfsg.1-5

Timeline

CVE Published
Nov 12, 2019 PoC Published
Apr 14, 2021 EPSS Score
Aug 23, 2021 EPSS Score
Oct 24, 2021 EPSS Score
Feb 25, 2022 EPSS Score
Jun 29, 2022 EPSS Score
Nov 1, 2022 EPSS Score
Jan 2, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Jul 7, 2023 EPSS Score
Nov 7, 2023 EPSS Score

References

https://ubuntu.com/security/CVE-2017-8114 third-party-advisory
https://github.com/roundcube/roundcubemail/releases/tag/1.2.5 third-party-advisory
https://github.com/roundcube/roundcubemail/commit/6e054a37d13dc3772d0aa454a32d5dc3bdcc7003 third-party-advisory
https://github.com/roundcube/roundcubemail/releases/tag/1.1.9 third-party-advisory
https://github.com/roundcube/roundcubemail/commit/10b227d70a03e33682aaaa0138e84f9256f3cd50 third-party-advisory
https://github.com/roundcube/roundcubemail/releases/tag/1.0.11 third-party-advisory
https://github.com/roundcube/roundcubemail/commit/271426429bfbb5b63e6dec91b1e4780e8ef1c67e third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2017-8114 third-party-advisory

Open in Interactive Console →