FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  567892
Date:      2021-03-09
Time:      06:26:48Z
Committer: bhughes

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
125f5958-b611-11e6-a9a5-b499baebfeafRoundcube -- arbitrary command execution

The Roundcube project reports

steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.


Discovery 2016-11-29
Entry 2016-11-29
Modified 2016-12-14
roundcube
lt 1.2.3,1

CVE-2016-9920
94858
http://www.openwall.com/lists/oss-security/2016/12/08/17
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-123
bce47c89-4d3f-11e7-8080-a4badb2f4699roundcube -- arbitrary password resets

Roundcube reports:

Roundcube Webmail allows arbitrary password resets by authenticated users. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.


Discovery 2017-04-28
Entry 2017-06-09
roundcube
lt 1.2.5,1

https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11
CVE-2017-8114
97e86d10-2ea7-11e6-ae88-002590263bf5roundcube -- XSS vulnerability

Roundcube reports:

Fix XSS issue in href attribute on area tag (#5240).


Discovery 2016-05-06
Entry 2016-06-10
roundcube
lt 1.1.5_1,1

CVE-2016-5103
ports/209841
https://github.com/roundcube/roundcubemail/issues/5240
http://seclists.org/oss-sec/2016/q2/414
038a5808-24b3-11e5-b0c8-bf4d8935d4faroundcube -- multiple vulnerabilities

Roundcube reports:

We just published updates to both stable versions 1.0 and 1.1 after fixing many minor bugs and adding some security improvements to the 1.1 release branch. Version 1.0.6 comes with cherry-picked fixes from the more recent version to ensure proper long term support especially in regards of security and compatibility.



The security-related fixes in particular are:



* XSS vulnerability in _mbox argument

* security improvement in contact photo handling

* potential info disclosure from temp directory


Discovery 2015-05-30
Entry 2015-07-07
roundcube
ge 1.1.0,1 lt 1.1.2,1

lt 1.0.6,1

CVE-2015-5381
CVE-2015-5383
http://openwall.com/lists/oss-security/2015/07/06/10
https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/
4ae68e7c-dda4-11e0-a906-00215c6a37bbroundcube -- XSS vulnerability

RoundCube development Team reports:

We just published a new release which fixes a recently reported XSS vulnerability as an update to the stable 0.5 branch. Please update your installations with this new version or patch them with the fix which is also published in the downloads section or our sourceforge.net page.

and:

During one of pen-tests I found that _mbox parameter is not properly sanitized and reflected XSS attack is possible.


Discovery 2011-08-09
Entry 2011-09-13
roundcube
lt 0.5.4,1

CVE-2011-2937
4ae68e7c-dda4-11e0-a906-00215c6a37bbroundcube -- XSS vulnerability

RoundCube development Team reports:

We just published a new release which fixes a recently reported XSS vulnerability as an update to the stable 0.5 branch. Please update your installations with this new version or patch them with the fix which is also published in the downloads section or our sourceforge.net page.

and:

During one of pen-tests I found that _mbox parameter is not properly sanitized and reflected XSS attack is possible.


Discovery 2011-08-09
Entry 2011-09-13
roundcube
lt 0.5.4,1

CVE-2011-2937
a592e991-a919-11e2-ade0-8c705af55518roundcube -- arbitrary file disclosure vulnerability

RoundCube development team reports:

After getting reports about a possible vulnerability of Roundcube which allows an attacker to modify its users preferences in a way that he/she can then read files from the server, we now published updated packages as well as patches that fix this security issue.


Discovery 2013-03-27
Entry 2013-04-19
roundcube
lt 0.8.6,1

CVE-2013-1904
https://secunia.com/advisories/52806/
f622608c-c53c-11e7-a633-009c02a2ab30roundcube -- file disclosure vulnerability

MITRE reports:

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session.


Discovery 2017-11-06
Entry 2017-11-11
Modified 2017-12-31
roundcube
lt 1.3.3,1

https://github.com/roundcube/roundcubemail/issues/6026
https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10
CVE-2017-16651
ports/223557
48894ca9-3e6f-11e8-92f0-f0def167eeearoundcube -- IMAP command injection vulnerability

Upstream reports:

This update primarily fixes a recently discovered IMAP-cmd-injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846.


Discovery 2018-04-11
Entry 2018-04-13
roundcube
le 1.3.5,1

CVE-2018-9846
https://roundcube.net/news/2018/04/11/security-update-1.3.6