Ubuntu
roundcube package

CVE-2011-1492 request verification problem

Bug #757736 reported by Mark Foster on 2011-04-11

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	roundcube (Ubuntu)	Confirmed	Medium	Unassigned

Bug Description

Binary package hint: roundcube

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1492
steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not properly verify that a request is an expected request for an external Cascading Style Sheets (CSS) stylesheet, which allows remote authenticated users to trigger arbitrary outbound TCP connections from the server, and possibly obtain sensitive information, via a crafted request.

CVE References

2011-1492

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2011-04-19:

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in roundcube (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Medium

Marc Deslauriers (mdeslaur) on 2012-05-14

visibility:

private → public

Revision history for this message

quazgar (quazgar) wrote on 2020-05-04:

All Roundcube versions in Ubuntu are far more recent that 0.5.1, so this probably can be closed.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubunturoundcube package