{"id":"UBUNTU-CVE-2011-4078","details":"include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows remote attackers to trigger a GET request for an arbitrary URL, and cause a denial of service (resource consumption and inbox outage), via a Subject header containing only a URL, a related issue to CVE-2011-3379.","modified":"2025-07-16T07:30:50.265303Z","published":"2011-11-03T15:55:00Z","withdrawn":"2025-07-18T16:42:44Z","upstream":["CVE-2011-4078"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2011-4078"},{"type":"REPORT","url":"http://openwall.com/lists/oss-security/2011/10/26/6"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2011-4078"}],"affected":[{"package":{"name":"roundcube","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/roundcube@1.3.6+dfsg.1-1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.3.6+dfsg.1-1"}]}],"versions":["1.3.0+dfsg.1-1","1.3.1+dfsg.1-1","1.3.3+dfsg.1-1","1.3.3+dfsg.1-2"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"roundcube","binary_version":"1.3.6+dfsg.1-1"},{"binary_name":"roundcube-core","binary_version":"1.3.6+dfsg.1-1"},{"binary_name":"roundcube-mysql","binary_version":"1.3.6+dfsg.1-1"},{"binary_name":"roundcube-pgsql","binary_version":"1.3.6+dfsg.1-1"},{"binary_name":"roundcube-plugins","binary_version":"1.3.6+dfsg.1-1"},{"binary_name":"roundcube-sqlite3","binary_version":"1.3.6+dfsg.1-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2011/UBUNTU-CVE-2011-4078.json"}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/roundcube@1.4.3+dfsg.1-1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.3+dfsg.1-1"}]}],"versions":["1.3.8+dfsg.1-2","1.3.10+dfsg.1-1","1.4.1+dfsg.1-2","1.4.2+dfsg.1-1","1.4.2+dfsg.1-2"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"roundcube","binary_version":"1.4.3+dfsg.1-1"},{"binary_name":"roundcube-core","binary_version":"1.4.3+dfsg.1-1"},{"binary_name":"roundcube-mysql","binary_version":"1.4.3+dfsg.1-1"},{"binary_name":"roundcube-pgsql","binary_version":"1.4.3+dfsg.1-1"},{"binary_name":"roundcube-plugins","binary_version":"1.4.3+dfsg.1-1"},{"binary_name":"roundcube-sqlite3","binary_version":"1.4.3+dfsg.1-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2011/UBUNTU-CVE-2011-4078.json"}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/roundcube@1.5.0+dfsg.1-2?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5.0+dfsg.1-2"}]}],"versions":["1.4.11+dfsg.1-4"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"roundcube","binary_version":"1.5.0+dfsg.1-2"},{"binary_name":"roundcube-core","binary_version":"1.5.0+dfsg.1-2"},{"binary_name":"roundcube-mysql","binary_version":"1.5.0+dfsg.1-2"},{"binary_name":"roundcube-pgsql","binary_version":"1.5.0+dfsg.1-2"},{"binary_name":"roundcube-plugins","binary_version":"1.5.0+dfsg.1-2"},{"binary_name":"roundcube-sqlite3","binary_version":"1.5.0+dfsg.1-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2011/UBUNTU-CVE-2011-4078.json"}}],"schema_version":"1.7.3","severity":[{"type":"Ubuntu","score":"medium"}]}