CVE-2013-6172

Name of the Vulnerable Software and Affected Versions Roundcube webmail versions prior to 0.8.7 Roundcube webmail versions 0.9.x prior to 0.9.5

Description The issue allows remote attackers to modify configuration settings via the session parameter. This can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code. Multiple vulnerabilities in the Roundcube package may lead to disruption of confidentiality, integrity, and availability of protected information, and exploitation can be done remotely.

Recommendations For versions prior to 0.8.7, update to version 0.8.7 or later. For versions 0.9.x prior to 0.9.5, update to version 0.9.5 or later. As a temporary workaround, consider restricting access to the session parameter to minimize the risk of exploitation.