TROYANOSYVIRUS
Retour aux CVEs

CVE-2017-16651

HIGHCISA KEV
7.8

Description

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.

Details CVE

Score CVSS v3.17.8
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueLOCAL
ComplexiteLOW
Privileges requisLOW
Interaction utilisateurNONE
Publie11/9/2017
Derniere modification4/21/2026
Sourcekev
Observations honeypot0

CISA KEV

FournisseurRoundcube
ProduitRoundcube Webmail
Nom vulnerabiliteRoundcube Webmail File Disclosure Vulnerability
Date ajout KEV2021-11-03
Date limite remediation2022-05-03
Utilise dans ransomwareUnknown

Produits affectes

debian:debian_linuxroundcube:webmail

Faiblesses (CWE)

CWE-552CWE-552

References

http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html(cve@mitre.org)
http://www.securityfocus.com/bid/101793(cve@mitre.org)
https://github.com/roundcube/roundcubemail/issues/6026(cve@mitre.org)
https://github.com/roundcube/roundcubemail/releases/tag/1.1.10(cve@mitre.org)
https://github.com/roundcube/roundcubemail/releases/tag/1.2.7(cve@mitre.org)
https://github.com/roundcube/roundcubemail/releases/tag/1.3.3(cve@mitre.org)
https://lists.debian.org/debian-lts-announce/2017/11/msg00039.html(cve@mitre.org)
https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10(cve@mitre.org)
https://www.debian.org/security/2017/dsa-4030(cve@mitre.org)
http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/101793(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/roundcube/roundcubemail/issues/6026(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/roundcube/roundcubemail/releases/tag/1.1.10(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/roundcube/roundcubemail/releases/tag/1.2.7(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/roundcube/roundcubemail/releases/tag/1.3.3(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2017/11/msg00039.html(af854a3a-2127-422b-91ae-364da2661108)
https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10(af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2017/dsa-4030(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-16651(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.