cbcvebase.
CVE-2017-16651
published 2017-11-09

CVE-2017-16651: Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including…

PriorityP186high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
42.83%
98.5th percentile
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.

Affected

14 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianroundcube< roundcube 1.3.3+dfsg.1-1 (bookworm)roundcube 1.3.3+dfsg.1-1 (bookworm)
roundcubewebmail<= 1.1.9
roundcubewebmail
roundcubewebmail
roundcubewebmail
roundcubewebmail
roundcubewebmail
roundcubewebmail
roundcubewebmail
roundcubewebmail
roundcubewebmail
roundcubewebmail

Detection & IOCsextracted from sources · hover to see the quote

url_task=settings&_action=upload-display&_from=timezone
command_timezone[files][1][path]=<target_file>
  • Monitor HTTP POST requests to the login endpoint containing the parameter '_timezone[files][1][path]', which is used to inject an arbitrary file path during authentication.
  • Detect authenticated GET requests combining all three parameters: _task=settings, _action=upload-display, and _from=timezone — this is the file retrieval step of the exploit.
  • The attack requires a valid authenticated session; look for the two-stage pattern: a login POST with _timezone[files][1][path] followed by a GET with _task=settings&_action=upload-display&_from=timezone from the same session.
  • Flag requests where _from=timezone is combined with upload-display action, as this triggers file-based attachment plugins to serve the injected file path.
  • ·The vulnerability is only exploitable when file-based attachment plugins are enabled; these are used by default, meaning most default installations are vulnerable.
  • ·Affected versions span 1.1.0–1.1.9, 1.2.0–1.2.6, and 1.3.0–1.3.2; detections should be scoped to these version ranges and retired once patched to 1.1.10, 1.2.7, or 1.3.3 respectively.
  • ·This vulnerability was exploited in the wild in November 2017 and is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active threat actor use.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.