Roundcube Webmail CVE-2017-16651 Information Disclosure Vulnerability

Roundcube Webmail is prone to an information-disclosure vulnerability.

Attackers can exploit this issue to gain access to sensitive information. Information obtained may lead to further attacks.
Roundcube Webmail versions prior to 1.1.10, 1.2.x versions prior to 1.2.7, and 1.3.x versions prior to 1.3.3 are vulnerable.

Information

Bugtraq ID: 101793
Class: Input Validation Error
CVE: CVE-2017-16651

Remote: Yes
Local: No
Published: Nov 09 2017 12:00AM
Updated: Nov 09 2017 12:00AM
Credit: david67810.
Vulnerable: Roundcube Webmail 1.3
Roundcube Webmail 1.2.5
Roundcube Webmail 1.2
Roundcube Webmail 1.1.9
Roundcube Webmail 1.1.5
Roundcube Webmail 1.1.4
Roundcube Webmail 1.1.3
Roundcube Webmail 1.1.2
Roundcube Webmail 1.1.1
Roundcube Webmail 0.1.1
Roundcube Webmail 1.2.4
Roundcube Webmail 1.2.3
Roundcube Webmail 1.1.8
Roundcube Webmail 1.1.7
Roundcube Webmail 1.1.0

Not Vulnerable: Roundcube Webmail 1.3.3
Roundcube Webmail 1.2.7
Roundcube Webmail 1.1.10

Exploit

Reports indicate that this issue is being exploited in the wild. Please see the references for more information.

References:

• RoundCube Webmail Homepage (RoundCube)
  
• DSA-4030-1 roundcube -- security update (Debian)
  
• File Disclosure Vulnerability #6026 (Roundcube)
  
• Security updates 1.3.3, 1.2.7 and 1.1.10 released (Roundcube)
  

Source: www.securityfocus.com