roundcubemail - Arch Linux
Resolved
| Group | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|
| AVG-670 | 1.3.5-1 | 1.3.6-1 | High | Fixed | |
| AVG-506 | 1.3.2-1 | 1.3.3-1 | High | Fixed | |
| AVG-199 | 1.2.3-1 | 1.2.4-1 | Medium | Fixed |
| Issue | Group | Severity | Remote | Type | Description |
|---|---|---|---|---|---|
| CVE-2018-9846 | AVG-670 | High | Yes | Arbitrary command execution | In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid"... |
| CVE-2017-16651 | AVG-506 | High | Yes | Arbitrary filesystem access | Roundcube Webmail 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in... |
| CVE-2017-6820 | AVG-199 | Medium | Yes | Cross-site scripting | It has been discovered that rcube_utils.php in Roundcube before 1.1.8 and before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted... |
Advisories
| Date | Advisory | Group | Severity | Description |
|---|---|---|---|---|
| 19 Apr 2018 | ASA-201804-8 | AVG-670 | High | arbitrary command execution |
| 21 Nov 2017 | ASA-201711-27 | AVG-506 | High | arbitrary filesystem access |
| 14 Mar 2017 | ASA-201703-10 | AVG-199 | Medium | cross-site scripting |