CVE-2013-6172

EPSS 1.11%
Veröffentlicht 05.11.2013 18:55:06
Zuletzt bearbeitet 11.04.2025 00:51:21
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Roundcube ≫ Webmail Version <= 0.8.6

Roundcube ≫ Webmail Version0.1

Roundcube ≫ Webmail Version0.1 Update20050811

Roundcube ≫ Webmail Version0.1 Update20050820

Roundcube ≫ Webmail Version0.1 Update20051007

Roundcube ≫ Webmail Version0.1 Update20051021

Roundcube ≫ Webmail Version0.1 Updatealpha

Roundcube ≫ Webmail Version0.1 Updatebeta

Roundcube ≫ Webmail Version0.1 Updatebeta2

Roundcube ≫ Webmail Version0.1 Updaterc1

Roundcube ≫ Webmail Version0.1 Updaterc2

Roundcube ≫ Webmail Version0.1 Updatestable

Roundcube ≫ Webmail Version0.1.1

Roundcube ≫ Webmail Version0.2

Roundcube ≫ Webmail Version0.2 Updatealpha

Roundcube ≫ Webmail Version0.2 Updatebeta

Roundcube ≫ Webmail Version0.2 Updatestable

Roundcube ≫ Webmail Version0.2.1

Roundcube ≫ Webmail Version0.2.2

Roundcube ≫ Webmail Version0.3

Roundcube ≫ Webmail Version0.3 Updatebeta

Roundcube ≫ Webmail Version0.3 Updaterc1

Roundcube ≫ Webmail Version0.3 Updatestable

Roundcube ≫ Webmail Version0.3.1

Roundcube ≫ Webmail Version0.4

Roundcube ≫ Webmail Version0.4 Updatebeta

Roundcube ≫ Webmail Version0.4.1

Roundcube ≫ Webmail Version0.4.2

Roundcube ≫ Webmail Version0.5

Roundcube ≫ Webmail Version0.5 Updatebeta

Roundcube ≫ Webmail Version0.5 Updaterc

Roundcube ≫ Webmail Version0.5.1

Roundcube ≫ Webmail Version0.5.2

Roundcube ≫ Webmail Version0.5.3

Roundcube ≫ Webmail Version0.5.4

Roundcube ≫ Webmail Version0.6

Roundcube ≫ Webmail Version0.7

Roundcube ≫ Webmail Version0.7.1

Roundcube ≫ Webmail Version0.7.2

Roundcube ≫ Webmail Version0.7.3

Roundcube ≫ Webmail Version0.8.0

Roundcube ≫ Webmail Version0.8.1

Roundcube ≫ Webmail Version0.8.2

Roundcube ≫ Webmail Version0.8.3

Roundcube ≫ Webmail Version0.8.4

Roundcube ≫ Webmail Version0.8.5

Roundcube ≫ Webmail Version0.9 Updatebeta

Roundcube ≫ Webmail Version0.9 Updaterc

Roundcube ≫ Webmail Version0.9 Updaterc2

Roundcube ≫ Webmail Version0.9.0

Roundcube ≫ Webmail Version0.9.1

Roundcube ≫ Webmail Version0.9.2

Roundcube ≫ Webmail Version0.9.3

Roundcube ≫ Webmail Version0.9.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.11%	0.762

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

http://lists.opensuse.org/opensuse-updates/2014-03/msg00035.html

http://roundcube.net/news/2013/10/21/security-updates-095-and-087/

Patch

Vendor Advisory

http://trac.roundcube.net/ticket/1489382

Patch

http://www.debian.org/security/2013/dsa-2787

http://www.interworx.com/developers/changelog/version-5-0-13-build-574-2014-02-19

https://nvd.nist.gov/vuln/detail/CVE-2013-6172

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2013-6172

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2013-6172

EUVD