CVE-2016-4069 — HIGH (8.8) — White Hats Nepal

Q: How severe is CVE-2016-4069?

CVE-2016-4069 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-4069?

Check the references section above for vendor advisories and patch information. Affected products include: Opensuse Leap, Roundcube Webmail.

Vulnerability Description

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors.

CVSS Score

8.8

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Opensuse	Leap	42.1
Roundcube	Webmail	<= 1.1.4

Related Weaknesses (CWE)

CWE-352

References

http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.htmlThird Party Advisory
http://www.openwall.com/lists/oss-security/2016/04/23/4Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/92654
https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78Issue TrackingPatch
https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1Issue TrackingPatch
https://github.com/roundcube/roundcubemail/issues/4957Issue TrackingMailing List
https://github.com/roundcube/roundcubemail/releases/tag/1.1.5Release Notes
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115Release Notes
http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.htmlThird Party Advisory
http://www.openwall.com/lists/oss-security/2016/04/23/4Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/92654
https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78Issue TrackingPatch
https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1Issue TrackingPatch
https://github.com/roundcube/roundcubemail/issues/4957Issue TrackingMailing List
https://github.com/roundcube/roundcubemail/releases/tag/1.1.5Release Notes

FAQ

What is CVE-2016-4069?

CVE-2016-4069 is a vulnerability with a CVSS score of 8.8 (HIGH). Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denia...

How severe is CVE-2016-4069?

CVE-2016-4069 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-4069?

Check the references section above for vendor advisories and patch information. Affected products include: Opensuse Leap, Roundcube Webmail.