Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_name": "roundcube", "binary_version": "1.2~beta+dfsg.1-0ubuntu1" }, { "binary_name": "roundcube-core", "binary_version": "1.2~beta+dfsg.1-0ubuntu1" }, { "binary_name": "roundcube-mysql", "binary_version": "1.2~beta+dfsg.1-0ubuntu1" }, { "binary_name": "roundcube-pgsql", "binary_version": "1.2~beta+dfsg.1-0ubuntu1" }, { "binary_name": "roundcube-plugins", "binary_version": "1.2~beta+dfsg.1-0ubuntu1" }, { "binary_name": "roundcube-sqlite3", "binary_version": "1.2~beta+dfsg.1-0ubuntu1" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_name": "roundcube", "binary_version": "1.3.6+dfsg.1-1" }, { "binary_name": "roundcube-core", "binary_version": "1.3.6+dfsg.1-1" }, { "binary_name": "roundcube-mysql", "binary_version": "1.3.6+dfsg.1-1" }, { "binary_name": "roundcube-pgsql", "binary_version": "1.3.6+dfsg.1-1" }, { "binary_name": "roundcube-plugins", "binary_version": "1.3.6+dfsg.1-1" }, { "binary_name": "roundcube-sqlite3", "binary_version": "1.3.6+dfsg.1-1" } ] }