8.8

CVE-2017-8114

Exploit

EPSS 0.63%
Veröffentlicht 29.04.2017 19:59:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Roundcube ≫ Webmail Version < 1.0.11

Roundcube ≫ Webmail Version >= 1.1.0 < 1.1.9

Roundcube ≫ Webmail Version >= 1.2.0 < 1.2.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.63%	0.695

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

http://www.securityfocus.com/bid/98445

Third Party Advisory

VDB Entry

https://github.com/ilsani/rd/tree/master/security-advisories/web/roundcube/cve-2017-8114

Third Party Advisory

Exploit

https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11

Vendor Advisory

Release Notes

https://security.gentoo.org/glsa/201707-11

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2017-8114

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-8114

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-8114

EUVD