Candidate: CVE-2013-6172
PublicDate: 2013-11-05 18:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6172
 http://roundcube.net/news/2013/10/21/security-updates-095-and-087/
 http://trac.roundcube.net/ticket/1489382
Description:
 steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x
 before 0.9.5 allows remote attackers to modify configuration settings via
 the _session parameter, which can be leveraged to read arbitrary files,
 conduct SQL injection attacks, and execute arbitrary code.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727668
 https://bugs.launchpad.net/ubuntu/trusty/+source/roundcube/+bug/1256293
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_roundcube:
upstream_roundcube: released (0.9.5-1)
lucid_roundcube: ignored (reached end-of-life)
precise_roundcube: ignored (reached end-of-life)
precise/esm_roundcube: DNE (precise was needed)
quantal_roundcube: ignored (reached end-of-life)
raring_roundcube: ignored (reached end-of-life)
saucy_roundcube: ignored (reached end-of-life)
trusty_roundcube: not-affected (0.9.5-2)
trusty/esm_roundcube: DNE (trusty was not-affected [0.9.5-2])
utopic_roundcube: not-affected (0.9.5-2)
vivid_roundcube: not-affected (0.9.5-2)
vivid/stable-phone-overlay_roundcube: DNE
vivid/ubuntu-core_roundcube: DNE
wily_roundcube: not-affected (0.9.5-2)
xenial_roundcube: not-affected (0.9.5-2)
yakkety_roundcube: not-affected (0.9.5-2)
zesty_roundcube: not-affected (0.9.5-2)
devel_roundcube: not-affected (0.9.5-2)