FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  567892
Date:      2021-03-09
Time:      06:26:48Z
Committer: bhughes

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
038a5808-24b3-11e5-b0c8-bf4d8935d4faroundcube -- multiple vulnerabilities

Roundcube reports:

We just published updates to both stable versions 1.0 and 1.1 after fixing many minor bugs and adding some security improvements to the 1.1 release branch. Version 1.0.6 comes with cherry-picked fixes from the more recent version to ensure proper long term support especially in regards of security and compatibility.

The security-related fixes in particular are:

* XSS vulnerability in _mbox argument

* security improvement in contact photo handling

* potential info disclosure from temp directory

Discovery 2015-05-30
Entry 2015-07-07
ge 1.1.0,1 lt 1.1.2,1

lt 1.0.6,1

48894ca9-3e6f-11e8-92f0-f0def167eeearoundcube -- IMAP command injection vulnerability

Upstream reports:

This update primarily fixes a recently discovered IMAP-cmd-injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846.

Discovery 2018-04-11
Entry 2018-04-13
le 1.3.5,1

97e86d10-2ea7-11e6-ae88-002590263bf5roundcube -- XSS vulnerability

Roundcube reports:

Fix XSS issue in href attribute on area tag (#5240).

Discovery 2016-05-06
Entry 2016-06-10
lt 1.1.5_1,1

bce47c89-4d3f-11e7-8080-a4badb2f4699roundcube -- arbitrary password resets

Roundcube reports:

Roundcube Webmail allows arbitrary password resets by authenticated users. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

Discovery 2017-04-28
Entry 2017-06-09
lt 1.2.5,1
125f5958-b611-11e6-a9a5-b499baebfeafRoundcube -- arbitrary command execution

The Roundcube project reports

steps/mail/ in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.

Discovery 2016-11-29
Entry 2016-11-29
Modified 2016-12-14
lt 1.2.3,1

f622608c-c53c-11e7-a633-009c02a2ab30roundcube -- file disclosure vulnerability

MITRE reports:

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session.

Discovery 2017-11-06
Entry 2017-11-11
Modified 2017-12-31
lt 1.3.3,1