roundcubemail-1.4.11-1.3 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11303-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z roundcubemail-1.4.11-1.3 on GA media These are all security issues fixed in the roundcubemail-1.4.11-1.3 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11303 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-16651/ SUSE CVE CVE-2017-16651 page https://www.suse.com/security/cve/CVE-2017-6820/ SUSE CVE CVE-2017-6820 page https://www.suse.com/security/cve/CVE-2017-8114/ SUSE CVE CVE-2017-8114 page https://www.suse.com/security/cve/CVE-2018-9846/ SUSE CVE CVE-2018-9846 page https://www.suse.com/security/cve/CVE-2019-10740/ SUSE CVE CVE-2019-10740 page https://www.suse.com/security/cve/CVE-2020-12641/ SUSE CVE CVE-2020-12641 page https://www.suse.com/security/cve/CVE-2020-16145/ SUSE CVE CVE-2020-16145 page https://www.suse.com/security/cve/CVE-2020-35730/ SUSE CVE CVE-2020-35730 page openSUSE Tumbleweed roundcubemail-1.4.11-1.3 roundcubemail-1.4.11-1.3 as a component of openSUSE Tumbleweed Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests. CVE-2017-16651 openSUSE Tumbleweed:roundcubemail-1.4.11-1.3 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-16651.html CVE-2017-16651 https://bugzilla.suse.com/1067574 SUSE Bug 1067574 rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element. CVE-2017-6820 openSUSE Tumbleweed:roundcubemail-1.4.11-1.3 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-6820.html CVE-2017-6820 https://bugzilla.suse.com/1029035 SUSE Bug 1029035 Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin. CVE-2017-8114 openSUSE Tumbleweed:roundcubemail-1.4.11-1.3 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-8114.html CVE-2017-8114 https://bugzilla.suse.com/1036955 SUSE Bug 1036955 In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism. CVE-2018-9846 openSUSE Tumbleweed:roundcubemail-1.4.11-1.3 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-9846.html CVE-2018-9846 https://bugzilla.suse.com/1089461 SUSE Bug 1089461 In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker. CVE-2019-10740 openSUSE Tumbleweed:roundcubemail-1.4.11-1.3 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-10740.html CVE-2019-10740 https://bugzilla.suse.com/1131801 SUSE Bug 1131801 https://bugzilla.suse.com/1175135 SUSE Bug 1175135 rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. CVE-2020-12641 openSUSE Tumbleweed:roundcubemail-1.4.11-1.3 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12641.html CVE-2020-12641 https://bugzilla.suse.com/1171148 SUSE Bug 1171148 https://bugzilla.suse.com/1175135 SUSE Bug 1175135 https://bugzilla.suse.com/1226069 SUSE Bug 1226069 Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15. CVE-2020-16145 openSUSE Tumbleweed:roundcubemail-1.4.11-1.3 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-16145.html CVE-2020-16145 https://bugzilla.suse.com/1175135 SUSE Bug 1175135 An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. CVE-2020-35730 openSUSE Tumbleweed:roundcubemail-1.4.11-1.3 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-35730.html CVE-2020-35730 https://bugzilla.suse.com/1180399 SUSE Bug 1180399