cbcvebase.
CVE-2015-8770
published 2016-01-29

CVE-2015-8770: Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows…

PriorityP261high7.5CVSS 3.0
AVNACHPRLUINSUCHIHAH
EXPLOIT
EPSS
22.21%
97.4th percentile
Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php.

Affected

10 ranges
VendorProductVersion rangeFixed in
debianroundcube< roundcube 1.1.4+dfsg.1-1 (bookworm)roundcube 1.1.4+dfsg.1-1 (bookworm)
roundcuberoundcube_webmail<= 1.0.7
roundcuberoundcube_webmail
roundcuberoundcube_webmail
roundcuberoundcube_webmail
roundcuberoundcube_webmail
roundcuberoundcube_webmail>= 0 < 1.1.4+dfsg.1-11.1.4+dfsg.1-1
roundcuberoundcube_webmail>= 0 < 1.1.4+dfsg.1-11.1.4+dfsg.1-1
roundcuberoundcube_webmail>= 0 < 1.1.4+dfsg.1-11.1.4+dfsg.1-1
roundcuberoundcube_webmail>= 0 < 1.1.4+dfsg.1-11.1.4+dfsg.1-1

Detection & IOCsextracted from sources · hover to see the quote

pathprogram/include/rcmail_output_html.php
path/index.php
other_skin=../../
  • Monitor HTTP POST requests to /index.php containing path traversal sequences (e.g. '../../') in the '_skin' parameter
  • A simple exploit will send HTTP POST request to vulnerable script and will load a new skin from '/tmp' folder — alert on _skin values referencing /tmp or other non-standard paths
  • If 'skin_include_php' is enabled in Roundcube config, successful exploitation allows arbitrary PHP code execution from attacker-controlled skin files — flag this config setting as a high-risk indicator
  • ·Exploitation severity escalates to RCE only when 'skin_include_php' is set to true in Roundcube configuration
  • ·Exploitation requires both valid Roundcube user credentials AND the ability to create files on the vulnerable host (e.g., shared hosting environments)

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.