Path Traversal Vulnerability in Roundcube Webmail Software
CVE-2015-8794

6.5MEDIUM

Key Information:

Vendor

Roundcube

Status
Roundcube Webmail
Vendor
CVE Published:
29 January 2016

What is CVE-2015-8794?

A path traversal vulnerability exists in Roundcube's addressbook photo handling component, allowing remote authenticated users to access sensitive files by manipulating the _alt parameter. This misconfiguration can lead to unauthorized reading of arbitrary files on the server, potentially exposing sensitive information.

References

https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1...
x_refsource_CONFIRM
http://trac.roundcube.net/ticket/1490379
x_refsource_CONFIRM
http://trac.roundcube.net/changeset/e84fafcec/github
x_refsource_CONFIRM

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability Reserved

  • Vulnerability published

.