Main Vulnerability Database SB2013032806

SB2013032806 - Fedora EPEL 6 update for roundcubemail

Published: March 28, 2013 Updated: April 24, 2025

Security Bulletin ID SB2013032806

Severity

Critical

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) PHP including (CVE-ID: CVE-2013-1904)

The vulnerability allows a remote attacker to include arbitrary files on the target system.

The weakness exists due to improper sanitization of user-supplied data within "steps/mail/sendmail.inc" script when parsing "generic_message_footer" HTTP parameter passed to "/index.php" script. A remote attacker can send a specially crafted HTTP request to the "index.php" script, include and execute arbitrary PHP script on the affected server.

Successful exploitation of the vulnerability may lead to system compromise.

Note: the vulnerability was being actively exploited.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2013-0822