Candidate: CVE-2013-1904
PublicDate: 2014-02-08 00:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1904
Description:
 Absolute path traversal vulnerability in steps/mail/sendmail.inc in
 Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote
 attackers to read arbitrary files via a full pathname in the _value
 parameter for the generic_message_footer setting in a save-perf action to
 index.php, as exploited in the wild in March 2013.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_roundcube:
 upstream: http://iweb.dl.sourceforge.net/project/roundcubemail/roundcubemail-beta/0.9-RC/save_prefs_vulnerability_fix_0.9.patch
 upstream: http://iweb.dl.sourceforge.net/project/roundcubemail/roundcubemail/0.8.5/save_prefs_vulnerability_fix_0.8.patch
 upstream: http://hivelocity.dl.sourceforge.net/project/roundcubemail/roundcubemail/0.7.3/save_prefs_vulnerability_fix_0.7.patch
 upstream: http://superb-dca2.dl.sourceforge.net/project/roundcubemail/roundcubemail/0.6/save_prefs_vulnerability_fix_0.6.patch
upstream_roundcube: released (0.7.2-9)
hardy_roundcube: ignored (reached end-of-life)
lucid_roundcube: ignored (reached end-of-life)
oneiric_roundcube: ignored (reached end-of-life)
precise_roundcube: ignored (reached end-of-life)
precise/esm_roundcube: DNE (precise was needed)
quantal_roundcube: ignored (reached end-of-life)
raring_roundcube: not-affected (0.7.2-9)
saucy_roundcube: not-affected (0.7.2-9)
trusty_roundcube: not-affected (0.7.2-9)
trusty/esm_roundcube: DNE (trusty was not-affected [0.7.2-9])
utopic_roundcube: not-affected (0.7.2-9)
vivid_roundcube: not-affected (0.7.2-9)
vivid/stable-phone-overlay_roundcube: DNE
vivid/ubuntu-core_roundcube: DNE
wily_roundcube: not-affected (0.7.2-9)
xenial_roundcube: not-affected (0.7.2-9)
yakkety_roundcube: not-affected (0.7.2-9)
zesty_roundcube: not-affected (0.7.2-9)
devel_roundcube: not-affected (0.7.2-9)