Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
Max CVSS
9.8
EPSS Score
1.16%
Published
2020-05-04
Updated
2022-09-02
Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setting in a save-perf action to index.php, as exploited in the wild in March 2013.
Max CVSS
5.0
EPSS Score
0.45%
Published
2014-02-08
Updated
2014-02-10
2 vulnerabilities found