CVE-2011-1491

Current Description

The login form in Roundcube Webmail before 0.5.1 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then compose an e-mail message, related to a "login CSRF" issue.

Basic Data

PublishedApril 08, 2011
Last ModifiedAugust 17, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-20
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:S/C:P/I:N/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationSINGLE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score3.5
SeverityLOW
Exploitability Score6.8
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRoundcubeWebmail0.1*******
    2.3ApplicationRoundcubeWebmail0.1alpha******
    2.3ApplicationRoundcubeWebmail0.1beta******
    2.3ApplicationRoundcubeWebmail0.1beta2******
    2.3ApplicationRoundcubeWebmail0.1rc1******
    2.3ApplicationRoundcubeWebmail0.1rc2******
    2.3ApplicationRoundcubeWebmail0.1.1*******
    2.3ApplicationRoundcubeWebmail0.2*******
    2.3ApplicationRoundcubeWebmail0.2alpha******
    2.3ApplicationRoundcubeWebmail0.2beta******
    2.3ApplicationRoundcubeWebmail0.2.1*******
    2.3ApplicationRoundcubeWebmail0.3*******
    2.3ApplicationRoundcubeWebmail0.3beta******
    2.3ApplicationRoundcubeWebmail0.3rc1******
    2.3ApplicationRoundcubeWebmail0.3.1*******
    2.3ApplicationRoundcubeWebmail0.4*******
    2.3ApplicationRoundcubeWebmail0.4beta******
    2.3ApplicationRoundcubeWebmail0.4.1*******
    2.3ApplicationRoundcubeWebmail0.4.2*******
    2.3ApplicationRoundcubeWebmail********0.5
    2.3ApplicationRoundcubeWebmail0.5beta******
    2.3ApplicationRoundcubeWebmail0.5rc******

Vulnerable Software List

VendorProductVersions
Roundcube Webmail *, 0.1, 0.1.1, 0.2, 0.2.1, 0.3, 0.3.1, 0.4, 0.4.1, 0.4.2, 0.5

References

NameSourceURLTags
[oss-security] 20110324 CVE request: roundcube < 0.5.1 CSRFhttp://openwall.com/lists/oss-security/2011/03/24/3MLIST
[oss-security] 20110324 Re: CVE request: roundcube < 0.5.1 CSRFhttp://openwall.com/lists/oss-security/2011/03/24/4MLISTPatch
[oss-security] 20110404 Re: CVE request: roundcube < 0.5.1 CSRFhttp://openwall.com/lists/oss-security/2011/04/04/50MLISTPatch
http://trac.roundcube.net/changeset/4490http://trac.roundcube.net/changeset/4490CONFIRMPatch
http://trac.roundcube.net/wiki/Changeloghttp://trac.roundcube.net/wiki/ChangelogCONFIRM
roundcube-login-info-disclosure(66815)https://exchange.xforce.ibmcloud.com/vulnerabilities/66815XF