Nrogers

**Name of the Vulnerable Software and Affected Versions** Roundcube Webmail versions prior to 1.0.6 Roundcube Webmail versions 1.1.x prior to 1.1.2 **Description** The issue allows remote authenticated users to read arbitrary files via the ` alt` parameter when uploading a vCard. This is related to the `program/steps/addressbook/photo.inc` file in Roundcube Webmail. **Recommendations** For versions prior to 1.0.6, update to version 1.0.6 or later. For versions 1.1.x prior to 1.1.2, update to version 1.1.2 or later. As a temporary workaround, consider restricting access to the vCard upload feature until a patch is available.