Description

Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

Remediation

References

CVE-2017-8114

Related Vulnerabilities

WordPress Plugin Contextual Related Posts Multiple Vulnerabilities (3.3.1)

XWiki Improper Encoding or Escaping of Output Vulnerability (CVE-2020-13654)

ATutor Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2016-10400)

WordPress Plugin Customer Reviews for WooCommerce Cross-Site Scripting (5.16.0)

WordPress Plugin Easy2Map Photos Multiple Vulnerabilities (1.0.9)

Severity

High

Classification

CVE-2017-8114 CWE-269 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities