Description

Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

Remediation

References

CVE-2017-8114

Related Vulnerabilities

WordPress Plugin WP Sitemap Page Cross-Site Scripting (1.6.6)

WordPress Plugin LittleBot ACH for Stripe + Plaid Unspecified Vulnerability (1.2.6)

MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-0046)

WordPress Plugin WP Mobile Edition Multiple Vulnerabilities (2.4)

Apache HTTP Server Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2008-2168)

Severity

High

Classification

CVE-2017-8114 CWE-269 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities