TROYANOSYVIRUS
Back to CVEs

CVE-2017-16651

HIGHCISA KEV
7.8

Description

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.

CVE Details

CVSS v3.1 Score7.8
SeverityHIGH
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack VectorLOCAL
ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
Published11/9/2017
Last Modified4/21/2026
Sourcekev
Honeypot Sightings0

CISA KEV

VendorRoundcube
ProductRoundcube Webmail
Vulnerability NameRoundcube Webmail File Disclosure Vulnerability
KEV Date Added2021-11-03
Remediation Due Date2022-05-03
Ransomware UseUnknown

Affected Products

debian:debian_linuxroundcube:webmail

Weaknesses (CWE)

CWE-552CWE-552

References

http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html(cve@mitre.org)
http://www.securityfocus.com/bid/101793(cve@mitre.org)
https://github.com/roundcube/roundcubemail/issues/6026(cve@mitre.org)
https://github.com/roundcube/roundcubemail/releases/tag/1.1.10(cve@mitre.org)
https://github.com/roundcube/roundcubemail/releases/tag/1.2.7(cve@mitre.org)
https://github.com/roundcube/roundcubemail/releases/tag/1.3.3(cve@mitre.org)
https://lists.debian.org/debian-lts-announce/2017/11/msg00039.html(cve@mitre.org)
https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10(cve@mitre.org)
https://www.debian.org/security/2017/dsa-4030(cve@mitre.org)
http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/101793(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/roundcube/roundcubemail/issues/6026(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/roundcube/roundcubemail/releases/tag/1.1.10(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/roundcube/roundcubemail/releases/tag/1.2.7(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/roundcube/roundcubemail/releases/tag/1.3.3(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2017/11/msg00039.html(af854a3a-2127-422b-91ae-364da2661108)
https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10(af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2017/dsa-4030(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-16651(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.