CVE-2011-1492 — Improper Input Validation in Webmail

CWE-20 — Improper Input Validation8 documents6 sources

Severity

5.5MEDIUMNVD

EPSS

0.4%

top 39.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Roundcube Webmail

Timeline

PublishedApr 8

Latest updateMay 17

Description

steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not properly verify that a request is an expected request for an external Cascading Style Sheets (CSS) stylesheet, which allows remote authenticated users to trigger arbitrary outbound TCP connections from the server, and possibly obtain sensitive information, via a crafted request.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 8.0 | Impact: 4.9

Affected Packages1 packages

▶NVDroundcube/webmail0.5+10

Patches

Patch: openwall.com ↗Patch: openwall.com ↗Patch: trac.roundcube.net ↗

🔴Vulnerability Details

GHSA

GHSA-r646-w9ph-62w9: steps/utils/modcss↗2022-05-17

▶

OSV

CVE-2011-1492: steps/utils/modcss↗2011-04-08

▶

CVEList

CVE-2011-1492: steps/utils/modcss↗2011-04-08

▶

📋Vendor Advisories

Debian

CVE-2011-1492: roundcube - steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not properly verif...↗2011

▶

💬Community

Bugzilla

CVE-2011-1491 CVE-2011-1492 roundcubemail: v0.5.1 two security fixes↗2011-03-24

▶

Bugzilla

CVE-2011-1491 CVE-2011-1492 roundcubemail: v0.5.1 two security fixes [epel-6]↗2011-03-24

▶

Bugzilla

CVE-2011-1491 CVE-2011-1492 roundcubemail: v0.5.1 two security fixes [fedora-all]↗2011-03-24

▶