Description
Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setting in a save-perf action to index.php, as exploited in the wild in March 2013.
Remediation
References
Related Vulnerabilities
Drupal Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2007-5593)
Oracle Database Server CVE-2010-3590 Vulnerability (CVE-2010-3590)
WordPress 4.1.x Multiple Vulnerabilities (4.1 - 4.1.38)
Sqlite Integer Overflow or Wraparound Vulnerability (CVE-2020-13434)
MyBB Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-41362)