Roundcube: >> Webmail >> 1.1 Security Vulnerabilities
Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username.
CVSS Score
8.8
EPSS Score
0.008
Published
2017-01-30
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.
CVSS Score
7.5
EPSS Score
0.448
Published
2016-12-08
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors.
CVSS Score
8.8
EPSS Score
0.011
Published
2016-08-25
Page 4