CVE-2017-16651

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions prior to 1.1.10 Roundcube Webmail versions 1.2.x prior to 1.2.7 Roundcube Webmail versions 1.3.x prior to 1.3.3

Description The issue is related to file-based attachment plugins and allows unauthorized access to arbitrary files on the host's filesystem, including configuration files. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue has been exploited in the wild in November 2017.

Recommendations For Roundcube Webmail versions prior to 1.1.10, update to version 1.1.10 or later. For Roundcube Webmail versions 1.2.x prior to 1.2.7, update to version 1.2.7 or later. For Roundcube Webmail versions 1.3.x prior to 1.3.3, update to version 1.3.3 or later. As a temporary workaround, consider disabling file-based attachment plugins until a patch is available. Restrict access to the task=settings& action=upload-display& from=timezone request to minimize the risk of exploitation.