High severity7.8CISA KEVNVD Advisory· Published Nov 9, 2017· Updated Jun 17, 2026
CVE-2017-16651
CVE-2017-16651
Description
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
15cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*range: <=1.1.9
- cpe:2.3:a:roundcube:webmail:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.3.2:*:*:*:*:*:*:*
- Range: <1.1.10, <1.2.7, <1.3.3
Patches
Vulnerability mechanics
References
10- github.com/roundcube/roundcubemail/issues/6026nvdIssue TrackingPatchThird Party Advisory
- packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.htmlnvdExploitThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/101793nvdThird Party AdvisoryVDB Entry
- github.com/roundcube/roundcubemail/releases/tag/1.1.10nvdIssue TrackingRelease NotesThird Party Advisory
- github.com/roundcube/roundcubemail/releases/tag/1.2.7nvdIssue TrackingRelease NotesThird Party Advisory
- github.com/roundcube/roundcubemail/releases/tag/1.3.3nvdIssue TrackingRelease NotesThird Party Advisory
- lists.debian.org/debian-lts-announce/2017/11/msg00039.htmlnvdMailing ListThird Party Advisory
- roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10nvdIssue TrackingVendor Advisory
- www.debian.org/security/2017/dsa-4030nvdIssue TrackingThird Party Advisory
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government Resource
News mentions
0No linked articles in our index yet.