Description

Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

Remediation

References

CVE-2017-8114

Related Vulnerabilities

Drupal Core 7.x Security Bypass (7.0 - 7.4)

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2015-2271)

WordPress Plugin Hero Maps Pro Cross-Site Scripting (2.1.0)

WordPress 5.8.x Multiple Vulnerabilities (5.8 - 5.8.4)

Apache HTTP Server Uncontrolled Resource Consumption Vulnerability (CVE-2011-3348)

Severity

High

Classification

CVE-2017-8114 CWE-269 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities