CVE-2011-1492: Input Validation
First published: Fri Apr 08 2011(Updated: )
steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not properly verify that a request is an expected request for an external Cascading Style Sheets (CSS) stylesheet, which allows remote authenticated users to trigger arbitrary outbound TCP connections from the server, and possibly obtain sensitive information, via a crafted request.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| barnraiser AROUNDMe | =0.1-rc1 | |
| barnraiser AROUNDMe | =0.4 | |
| barnraiser AROUNDMe | =0.1 | |
| barnraiser AROUNDMe | =0.1-beta2 | |
| barnraiser AROUNDMe | =0.1-beta | |
| barnraiser AROUNDMe | =0.3-rc1 | |
| barnraiser AROUNDMe | =0.5-rc | |
| barnraiser AROUNDMe | =0.2-alpha | |
| barnraiser AROUNDMe | =0.1-rc2 | |
| barnraiser AROUNDMe | =0.3-beta | |
| barnraiser AROUNDMe | =0.5-beta | |
| barnraiser AROUNDMe | =0.4.2 | |
| barnraiser AROUNDMe | =0.3 | |
| barnraiser AROUNDMe | <=0.5 | |
| barnraiser AROUNDMe | =0.1.1 | |
| barnraiser AROUNDMe | =0.4-beta | |
| barnraiser AROUNDMe | =0.1-alpha | |
| barnraiser AROUNDMe | =0.4.1 | |
| barnraiser AROUNDMe | =0.2 | |
| barnraiser AROUNDMe | =0.2-beta | |
| barnraiser AROUNDMe | =0.3.1 | |
| barnraiser AROUNDMe | =0.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://trac.roundcube.net/wiki/Changelog
- http://openwall.com/lists/oss-security/2011/03/24/4
- http://openwall.com/lists/oss-security/2011/03/24/3
- http://trac.roundcube.net/changeset/4488
- http://openwall.com/lists/oss-security/2011/04/04/50
- http://secunia.com/advisories/44050
- https://exchange.xforce.ibmcloud.com/vulnerabilities/66613
Frequently Asked Questions
What is the severity of CVE-2011-1492?
CVE-2011-1492 has been classified as a moderate severity vulnerability.
How do I fix CVE-2011-1492?
To fix CVE-2011-1492, you should upgrade Roundcube Webmail to version 0.5.1 or later.
What types of software are affected by CVE-2011-1492?
CVE-2011-1492 affects various versions of Roundcube Webmail including versions from 0.1-rc1 to 0.5.
What can attackers do with CVE-2011-1492?
Attackers exploiting CVE-2011-1492 can trigger arbitrary outbound TCP connections and potentially gather sensitive information.
Who is at risk from CVE-2011-1492?
Remote authenticated users of vulnerable versions of Roundcube Webmail are at risk from CVE-2011-1492.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/author
- agent/weakness
- agent/references
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/roundcube
- canonical/barnraiser aroundme
- version/barnraiser aroundme/0.1-rc1
- version/barnraiser aroundme/0.4
- version/barnraiser aroundme/0.1
- version/barnraiser aroundme/0.1-beta2
- version/barnraiser aroundme/0.1-beta
- version/barnraiser aroundme/0.3-rc1
- version/barnraiser aroundme/0.5-rc
- version/barnraiser aroundme/0.2-alpha
- version/barnraiser aroundme/0.1-rc2
- version/barnraiser aroundme/0.3-beta
- version/barnraiser aroundme/0.5-beta
- version/barnraiser aroundme/0.4.2
- version/barnraiser aroundme/0.3
- version/barnraiser aroundme/0.5
- version/barnraiser aroundme/0.1.1
- version/barnraiser aroundme/0.4-beta
- version/barnraiser aroundme/0.1-alpha
- version/barnraiser aroundme/0.4.1
- version/barnraiser aroundme/0.2
- version/barnraiser aroundme/0.2-beta
- version/barnraiser aroundme/0.3.1
- version/barnraiser aroundme/0.2.1