{"id":"CVE-2017-16651","details":"Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.","modified":"2026-04-16T04:38:40.921249866Z","published":"2017-11-09T14:29:00.267Z","related":["openSUSE-SU-2024:11303-1"],"references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-16651"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2017/11/msg00039.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/101793"},{"type":"REPORT","url":"https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10"},{"type":"REPORT","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.3.3"},{"type":"REPORT","url":"https://www.debian.org/security/2017/dsa-4030"},{"type":"REPORT","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.1.10"},{"type":"REPORT","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.2.7"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/issues/6026"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/roundcube/roundcubemail","events":[{"introduced":"0"},{"last_affected":"4181f296087397d444f944a47151e94212a53e8e"},{"introduced":"0"},{"last_affected":"1d7be448f309d33c6ad4252c0abf581402891f22"},{"introduced":"0"},{"last_affected":"12813e9d430c057659a07c37b5680b6fd78efc12"},{"introduced":"0"},{"last_affected":"444fdb6161bdb0c5e90d41e30803f10e8dd5f9e8"},{"introduced":"0"},{"last_affected":"f04fc506b0bd2c8033b657978baa1a9f34d0eab6"},{"introduced":"0"},{"last_affected":"cbd35626f7db7855f3b5e2db00d28ecc1554e9f4"},{"introduced":"0"},{"last_affected":"e62a7d0dfa1ffe603c9a0a6d967bd738498e1d0f"},{"introduced":"0"},{"last_affected":"3644b02d0bd0d472f593fb2a732b2b5bc762fd50"},{"introduced":"0"},{"last_affected":"854aa7f35f6ed963033e2c0c4735852af7eca21b"},{"introduced":"0"},{"last_affected":"b6132b2bcd69e648f74677b741e4dfbfe7bb77cc"},{"introduced":"0"},{"last_affected":"2c7f3751ab5a1b04d7bb300cdac419848ccc6f32"},{"fixed":"7f992eac3d283f29ee42fe955f01b8d4f8fbd628"},{"fixed":"987856eee2543a5a111a012c0f8f91ebc083ab5e"},{"fixed":"d84391d2c850751489e3edb044ab3d2e83fed21e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.1.9"},{"introduced":"0"},{"last_affected":"1.2.0"},{"introduced":"0"},{"last_affected":"1.2.1"},{"introduced":"0"},{"last_affected":"1.2.2"},{"introduced":"0"},{"last_affected":"1.2.3"},{"introduced":"0"},{"last_affected":"1.2.4"},{"introduced":"0"},{"last_affected":"1.2.5"},{"introduced":"0"},{"last_affected":"1.2.6"},{"introduced":"0"},{"last_affected":"1.3.0"},{"introduced":"0"},{"last_affected":"1.3.1"},{"introduced":"0"},{"last_affected":"1.3.2"}]}}],"versions":["1.1-beta","1.1-rc","1.1.0","1.1.1","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.1.7","1.1.8","1.1.9","1.2-beta","1.2-rc","1.2.0","1.2.1","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.3-beta","1.3-rc","1.3.0","1.3.1","1.3.2","v0.1-beta2"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16651.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}