FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  566966
Date:      2021-03-02
Time:      15:17:24Z
Committer: osa

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
bce47c89-4d3f-11e7-8080-a4badb2f4699roundcube -- arbitrary password resets

Roundcube reports:

Roundcube Webmail allows arbitrary password resets by authenticated users. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.


Discovery 2017-04-28
Entry 2017-06-09
roundcube
lt 1.2.5,1

https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11
CVE-2017-8114
038a5808-24b3-11e5-b0c8-bf4d8935d4faroundcube -- multiple vulnerabilities

Roundcube reports:

We just published updates to both stable versions 1.0 and 1.1 after fixing many minor bugs and adding some security improvements to the 1.1 release branch. Version 1.0.6 comes with cherry-picked fixes from the more recent version to ensure proper long term support especially in regards of security and compatibility.



The security-related fixes in particular are:



* XSS vulnerability in _mbox argument

* security improvement in contact photo handling

* potential info disclosure from temp directory


Discovery 2015-05-30
Entry 2015-07-07
roundcube
ge 1.1.0,1 lt 1.1.2,1

lt 1.0.6,1

CVE-2015-5381
CVE-2015-5383
http://openwall.com/lists/oss-security/2015/07/06/10
https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/
f622608c-c53c-11e7-a633-009c02a2ab30roundcube -- file disclosure vulnerability

MITRE reports:

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session.


Discovery 2017-11-06
Entry 2017-11-11
Modified 2017-12-31
roundcube
lt 1.3.3,1

https://github.com/roundcube/roundcubemail/issues/6026
https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10
CVE-2017-16651
ports/223557
97e86d10-2ea7-11e6-ae88-002590263bf5roundcube -- XSS vulnerability

Roundcube reports:

Fix XSS issue in href attribute on area tag (#5240).


Discovery 2016-05-06
Entry 2016-06-10
roundcube
lt 1.1.5_1,1

CVE-2016-5103
ports/209841
https://github.com/roundcube/roundcubemail/issues/5240
http://seclists.org/oss-sec/2016/q2/414
125f5958-b611-11e6-a9a5-b499baebfeafRoundcube -- arbitrary command execution

The Roundcube project reports

steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.


Discovery 2016-11-29
Entry 2016-11-29
Modified 2016-12-14
roundcube
lt 1.2.3,1

CVE-2016-9920
94858
http://www.openwall.com/lists/oss-security/2016/12/08/17
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-123
48894ca9-3e6f-11e8-92f0-f0def167eeearoundcube -- IMAP command injection vulnerability

Upstream reports:

This update primarily fixes a recently discovered IMAP-cmd-injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846.


Discovery 2018-04-11
Entry 2018-04-13
roundcube
le 1.3.5,1

CVE-2018-9846
https://roundcube.net/news/2018/04/11/security-update-1.3.6