CVE-2013-6172

Published: 05 November 2013

steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code.

Priority

Medium

Status

Package Release Status
roundcube
Launchpad, Ubuntu, Debian
Upstream
Released (0.9.5-1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(0.9.5-2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [0.9.5-2])