Description
steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code.
Remediation
References
Related Vulnerabilities
WordPress Plugin Marekkis Watermark Cross-Site Scripting (0.9.1)
WordPress 4.3.x Multiple Vulnerabilities (4.3 - 4.3.29)
WordPress Plugin Yes-co ORES Cross-Site Scripting (1.3.44)
WordPress Plugin Jekyll Exporter Remote Code Execution (2.2.0)
Oracle Database Server CVE-2014-4294 Vulnerability (CVE-2014-4294)