Summary
Roundcube has released security updates to address three vulnerabilities – one of which is rated “critical” – in its Webmail product, a browser-based email client. This vulnerability, if exploited, could allow a remote attacker to gain unauthorized access to sensitive information on the target system.
Risk
Estimate of the vulnerability’s impact on the target community: HIGH/ORANGE (66.66/100)1.
Type
- Information Disclosure
- Data Manipulation
Affected products and/or versions
Roundcube Webmail
- versions prior to 1.5.8
- 1.6.x, versions prior to 1.6.8
Mitigation Actions
In line with the vendor’s statements, it is recommended to update vulnerable products by following the instructions in the security bulletins reported in the References section.
Unique Vulnerability Identifiers
References
https://github.com/roundcube/roundcubemail/releases
https://github.com/roundcube/roundcubemail/releases/tag/1.5.8
https://github.com/roundcube/roundcubemail/releases/tag/1.6.8
https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8
1This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.
