Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors.
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
| Link | Tags |
|---|---|
| http://www.securityfocus.com/bid/92654 | vdb entry |
| https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115 | release notes |
| https://github.com/roundcube/roundcubemail/issues/4957 | issue tracking mailing list |
| http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html | third party advisory vendor advisory |
| http://www.openwall.com/lists/oss-security/2016/04/23/4 | third party advisory mailing list |
| https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5 | issue tracking patch |
| https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53 | issue tracking patch |
| https://github.com/roundcube/roundcubemail/releases/tag/1.1.5 | release notes |