Description
Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setting in a save-perf action to index.php, as exploited in the wild in March 2013.
Remediation
References
Related Vulnerabilities
WebLogic Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2019-17359)
Moodle URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2022-35652)
WordPress Plugin Gallery-Video Gallery and Youtube Gallery SQL Injection (2.0.9)
XWiki Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2022-41932)
WordPress Plugin WP Photo Album Plus Unspecified Vulnerability (7.2.04)