CVE-2015-5382

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions prior to 1.0.6 Roundcube Webmail versions 1.1.x prior to 1.1.2

Description The issue allows remote authenticated users to read arbitrary files via the alt parameter when uploading a vCard. This is related to the program/steps/addressbook/photo.inc file in Roundcube Webmail.

Recommendations For versions prior to 1.0.6, update to version 1.0.6 or later. For versions 1.1.x prior to 1.1.2, update to version 1.1.2 or later. As a temporary workaround, consider restricting access to the vCard upload feature until a patch is available.