FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  567337
Date:      2021-03-04
Time:      19:48:40Z
Committer: madpilot

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
f622608c-c53c-11e7-a633-009c02a2ab30roundcube -- file disclosure vulnerability

MITRE reports:

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session.


Discovery 2017-11-06
Entry 2017-11-11
Modified 2017-12-31
roundcube
lt 1.3.3,1

https://github.com/roundcube/roundcubemail/issues/6026
https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10
CVE-2017-16651
ports/223557
125f5958-b611-11e6-a9a5-b499baebfeafRoundcube -- arbitrary command execution

The Roundcube project reports

steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.


Discovery 2016-11-29
Entry 2016-11-29
Modified 2016-12-14
roundcube
lt 1.2.3,1

CVE-2016-9920
94858
http://www.openwall.com/lists/oss-security/2016/12/08/17
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-123
bce47c89-4d3f-11e7-8080-a4badb2f4699roundcube -- arbitrary password resets

Roundcube reports:

Roundcube Webmail allows arbitrary password resets by authenticated users. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.


Discovery 2017-04-28
Entry 2017-06-09
roundcube
lt 1.2.5,1

https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11
CVE-2017-8114
48894ca9-3e6f-11e8-92f0-f0def167eeearoundcube -- IMAP command injection vulnerability

Upstream reports:

This update primarily fixes a recently discovered IMAP-cmd-injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846.


Discovery 2018-04-11
Entry 2018-04-13
roundcube
le 1.3.5,1

CVE-2018-9846
https://roundcube.net/news/2018/04/11/security-update-1.3.6
97e86d10-2ea7-11e6-ae88-002590263bf5roundcube -- XSS vulnerability

Roundcube reports:

Fix XSS issue in href attribute on area tag (#5240).


Discovery 2016-05-06
Entry 2016-06-10
roundcube
lt 1.1.5_1,1

CVE-2016-5103
ports/209841
https://github.com/roundcube/roundcubemail/issues/5240
http://seclists.org/oss-sec/2016/q2/414