⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2013-1904Path Traversal in Webmail

CWE-22Path Traversal9 documents7 sources
Severity
5.0MEDIUMNVD
EPSS
0.3%
top 43.24%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Roundcube Webmail
Timeline
PublishedFeb 8
Latest updateMay 17

Description

Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setting in a save-perf action to index.php, as exploited in the wild in March 2013.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

NVDroundcube/webmail0.7.2+24

Patches

Patch: sourceforge.netPatch: sourceforge.net

🔴Vulnerability Details

4
GHSA
GHSA-xhjq-9gfc-7x74: Absolute path traversal vulnerability in steps/mail/sendmail2022-05-17
OSV
CVE-2013-1904: Absolute path traversal vulnerability in steps/mail/sendmail2014-02-08
CVEList
CVE-2013-1904: Absolute path traversal vulnerability in steps/mail/sendmail2014-02-08
VulnCheck
Roundcube Webmail Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')2013

📋Vendor Advisories

1
Debian
CVE-2013-1904: roundcube - Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube We...2013

💬Community

3
Bugzilla
CVE-2013-1904 roundcubemail: Local file inclusion via web UI modification of certain config options [epel-6]2013-03-28
Bugzilla
CVE-2013-1904 roundcubemail: Local file inclusion via web UI modification of certain config options [fedora-all]2013-03-28
Bugzilla
CVE-2013-1904 roundcubemail: Local file inclusion via web UI modification of certain config options2013-03-28
CVE-2013-1904 — Path Traversal in Roundcube Webmail | cvebase