CVE-2011-1492

Description

steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not properly verify that a request is an expected request for an external Cascading Style Sheets (CSS) stylesheet, which allows remote authenticated users to trigger arbitrary outbound TCP connections from the server, and possibly obtain sensitive information, via a crafted request.

How to fix CVE-2011-1492

To remediate CVE-2011-1492, upgrade the affected package to a fixed version below.

• Debian/roundcube—upgrade to 0.5.1-1 or later

Is CVE-2011-1492 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.5.1-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2011-1492