Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2017-8114: Security updates 1.2.5, 1.1.9 and 1.0.11 released

Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

CVE
#vulnerability#web#git#perl#auth

Published: 28 April 2017

  • Tags:
  • releases
  • updates
  • security

We just published updates to all stable versions 1.x delivering important bug fixes and improvements which we picked from the upstream branch.

The updates primarily fix a recently discovered vulnerability in the virtualmin and sasl drivers of the password plugin (CVE-2017-8114). Security-wise the update is therefore only relevant for those installations of Roundcube using the password plugin with either one of these drivers.

See the full changelog for the according version in the release notes on the Github download pages: v1.2.5, v1.1.9, v1.0.11

All versions are considered stable and we recommend to update all productive installations of Roundcube with either of these versions.

As usual, don’t forget to backup your data before updating!

Return to News overview

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907