CVE-2017-8114
HIGH8.8EPSS 1.5%roundcube - security update
Published: 4/29/2017Modified: 11/19/2025
Also known as:ALPINE-CVE-2017-8114DEBIAN-CVE-2017-8114
Description
Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.
Affected packages (3)
- Alpine/roundcubemailfrom 0, < 1.1.9-r0
- Debian/roundcubefrom 0, < 1.2.3+dfsg.1-4
- Debian/roundcubefrom 0, < 0.7.2-9+deb7u7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |