Vulnerability Description
Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Roundcube | Webmail | < 1.0.11 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/98445Third Party AdvisoryVDB Entry
- https://github.com/ilsani/rd/tree/master/security-advisories/web/roundcube/cve-2ExploitThird Party Advisory
- https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11Release NotesVendor Advisory
- https://security.gentoo.org/glsa/201707-11Third Party Advisory
- http://www.securityfocus.com/bid/98445Third Party AdvisoryVDB Entry
- https://github.com/ilsani/rd/tree/master/security-advisories/web/roundcube/cve-2ExploitThird Party Advisory
- https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11Release NotesVendor Advisory
- https://security.gentoo.org/glsa/201707-11Third Party Advisory
FAQ
What is CVE-2017-8114?
CVE-2017-8114 is a vulnerability with a CVSS score of 8.8 (HIGH). Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restr...
How severe is CVE-2017-8114?
CVE-2017-8114 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-8114?
Check the references section above for vendor advisories and patch information. Affected products include: Roundcube Webmail.