Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-1492

Overview

Vulnerability Score 5.5 5.5
CVE Id CVE-2011-1492
Last Modified 20 Apr 2011 10:33:46
Published 08 Apr 2011 11:17:28
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication SINGLE_INSTANCE

CVE-2011-1492

Summary

steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not properly verify that a request is an expected request for an external Cascading Style Sheets (CSS) stylesheet, which allows remote authenticated users to trigger arbitrary outbound TCP connections from the server, and possibly obtain sensitive information, via a crafted request.

Vulnerable Systems

Application

  • Roundcube Webmail 0.1

  • Roundcube Webmail 0.1.1

  • Roundcube Webmail 0.2

  • Roundcube Webmail 0.2.1

  • Roundcube Webmail 0.3

  • Roundcube Webmail 0.3.1

  • Roundcube Webmail 0.4

  • Roundcube Webmail 0.4.1

  • Roundcube Webmail 0.4.2

  • Roundcube Webmail 0.5


References

CONFIRM - http://trac.roundcube.net/changeset/4488

MLIST - [oss-security] 20110404 Re: CVE request: roundcube < 0.5.1 CSRF

MLIST - [oss-security] 20110324 Re: CVE request: roundcube < 0.5.1 CSRF

XF - roundcube-modcss-security-bypass(66613)

CONFIRM - http://trac.roundcube.net/wiki/Changelog

SECUNIA - 44050

MLIST - [oss-security] 20110324 CVE request: roundcube < 0.5.1 CSRF


Last Updated: 27 May 2016 10:56:21