Description

Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

Remediation

References

CVE-2017-8114

Related Vulnerabilities

IBM WebSEAL Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2016-3018)

ATutor Incorrect Authorization Vulnerability (CVE-2019-16114)

WordPress Plugin Cryptocurrency Widgets-Price Ticker & Coins List Security Bypass (2.4)

Liferay Portal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-38269)

JBoss Application Server Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2011-3609)

Severity

High

Classification

CVE-2017-8114 CWE-269 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities