CVE-2014-9587 — Cross-Site Request Forgery in Webmail

CWE-352 — Cross-Site Request Forgery6 documents6 sources

Severity

6.8MEDIUMNVD

EPSS

3.7%

top 12.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Roundcube Webmail

Timeline

PublishedJan 15

Latest updateMay 17

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

▶NVDroundcube/webmail1.0.3

Patches

Patch: roundcube.net ↗Patch: roundcube.net ↗

🔴Vulnerability Details

GHSA

GHSA-ch25-8vj3-jr7x: Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1↗2022-05-17

▶

CVEList

CVE-2014-9587: Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1↗2015-01-15

▶

OSV

CVE-2014-9587: Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1↗2015-01-15

▶

📋Vendor Advisories

Debian

CVE-2014-9587: roundcube - Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail ...↗2014

▶

💬Community

Bugzilla

CVE-2014-9587 roundcubemail: possible CSRF attacks to some address book operations as well as to the ACL and Managesieve plugins↗2015-01-07

▶