Back to KEVs

CVE-2017-16651

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem,...

Basic Information

CVE State: PUBLISHED
Reserved Date: November 07, 2017
Published Date: November 09, 2017
Last Updated: February 04, 2025
Vendor: n/a
Product: n/a
Description: Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.

CVSS Scores

SSVC Information

Exploitation: active
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2021-11-03 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2021-01-06 01:46:39 UTC) Source

References

https://github.com/roundcube/roundcubemail/releases/tag/1.3.3 https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10 https://lists.debian.org/debian-lts-announce/2017/11/msg00039.html https://github.com/roundcube/roundcubemail/releases/tag/1.1.10 http://www.securityfocus.com/bid/101793 https://github.com/roundcube/roundcubemail/releases/tag/1.2.7 https://www.debian.org/security/2017/dsa-4030 https://github.com/roundcube/roundcubemail/issues/6026 http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2021-11-03 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

ropbear/CVE-2017-16651

Type: github • Created: 2021-01-06 01:46:39 UTC • Stars: 3

Python implementation of Roundcube LFI (CVE-2017-16651)