CVE-2017-8114 — Improper Privilege Management in Webmail

CWE-269 — Improper Privilege Management10 documents8 sources

Severity

8.8HIGHNVD

OSV6.1

EPSS

0.6%

top 29.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Roundcube Webmail Roundcube Webmail

Timeline

PublishedApr 29

Latest updateMar 30

Description

Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDroundcube/webmail1.1.0 — 1.1.9+2

▶Ubunturoundcube/roundcube_webmail< 1.2~beta+dfsg.1-0ubuntu1+esm7+1

🔴Vulnerability Details

OSV

roundcube vulnerabilities↗2026-03-30

▶

GHSA

GHSA-4p57-8qx3-4cjv: Roundcube Webmail allows arbitrary password resets by authenticated users↗2022-05-13

▶

OSV

CVE-2017-8114: Roundcube Webmail allows arbitrary password resets by authenticated users↗2017-04-29

▶

CVEList

CVE-2017-8114: Roundcube Webmail allows arbitrary password resets by authenticated users↗2017-04-29

▶

📋Vendor Advisories

Ubuntu

Roundcube Webmail vulnerabilities↗2026-03-30

▶

Debian

CVE-2017-8114: roundcube - Roundcube Webmail allows arbitrary password resets by authenticated users. This ...↗2017

▶

💬Community

HackerOne

Roundcube virtualmin privilege escalation (CVE-2017-8114)↗2019-11-12

▶

Bugzilla

CVE-2017-8114 roundcubemail: CVE-2017-8114 [epel-6]↗2017-05-05

▶

Bugzilla

CVE-2017-8114 roundecubemail: arbitrary password resets by authenticated users↗2017-05-05

▶