CVE-2017-8114

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-8114
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-8114.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-8114
Downstream
Related
Published
2017-04-29T19:59:00.217Z
Modified
2026-02-04T20:38:17.033857Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

References

Affected packages

Git / github.com/roundcube/roundcubemail

Affected ranges

Type
GIT
Repo
https://github.com/roundcube/roundcubemail
Events
Introduced
190ae4f800b2d40c0edb579b34c1b188089c2a6a
Fixed
4181f296087397d444f944a47151e94212a53e8e
Fixed
ca74231733849fb170a272cf5bf67e230cee3745
Introduced
1d7be448f309d33c6ad4252c0abf581402891f22
Fixed
e62a7d0dfa1ffe603c9a0a6d967bd738498e1d0f

Affected versions

1.*
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.2-beta
1.2-rc
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-8114.json"