CVE-2013-1904
EPSS 0.34%
Description
Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setting in a save-perf action to index.php, as exploited in the wild in March 2013.
How to fix CVE-2013-1904
To remediate CVE-2013-1904, upgrade the affected package to a fixed version below.
- Debian/roundcube—upgrade to 0.7.2-9 or later
Is CVE-2013-1904 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.7.2-9