8.8

CVE-2017-8114

Exploit

EPSS 0.63%
Published 29.04.2017 19:59:00
Last modified 20.04.2025 01:37:25
Source cve@mitre.org
Teams watchlist Login
Open Login

Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Roundcube ≫ Webmail Version < 1.0.11

Roundcube ≫ Webmail Version >= 1.1.0 < 1.1.9

Roundcube ≫ Webmail Version >= 1.2.0 < 1.2.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.63%	0.694

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

http://www.securityfocus.com/bid/98445

Third Party Advisory

VDB Entry

https://github.com/ilsani/rd/tree/master/security-advisories/web/roundcube/cve-2017-8114

Third Party Advisory

Exploit

https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11

Vendor Advisory

Release Notes

https://security.gentoo.org/glsa/201707-11

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2017-8114

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-8114

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-8114

EUVD