CVE-2013-1904

🗓️ 08 Feb 2014 00:00:00Reported by redhatType

cve🔗 web.nvd.nist.gov👁 69 Views🌐 WEB

Absolute path traversal vulnerability in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setting in a save-perf action to index.ph

Reporter	Title	Published	Views	Family All 21
FreeBSD	roundcube -- arbitrary file disclosure vulnerability	27 Mar 201300:00	–	freebsd
Cvelist	CVE-2013-1904	8 Feb 201400:00	–	cvelist
Debian CVE	CVE-2013-1904	8 Feb 201400:00	–	debiancve
EUVD	EUVD-2013-1900	7 Oct 202500:30	–	euvd
Fedora	[SECURITY] Fedora 18 Update: roundcubemail-0.8.6-1.fc18	7 Apr 201300:30	–	fedora
Fedora	[SECURITY] Fedora 17 Update: roundcubemail-0.8.6-1.fc17	7 Apr 201300:41	–	fedora
Tenable Nessus	Fedora 17 : roundcubemail-0.8.6-1.fc17 (2013-4536)	8 Apr 201300:00	–	nessus
Tenable Nessus	Fedora 18 : roundcubemail-0.8.6-1.fc18 (2013-4564)	8 Apr 201300:00	–	nessus
Tenable Nessus	FreeBSD : roundcube -- arbitrary file disclosure vulnerability (a592e991-a919-11e2-ade0-8c705af55518)	22 Apr 201300:00	–	nessus
Tenable Nessus	Mandriva Linux Security Advisory : roundcubemail (MDVSA-2013:149)	23 Apr 201300:00	–	nessus

NVD

Node

roundcube webmailRange≤0.7.2

roundcube webmailMatch0.1

roundcube webmailMatch0.120050811

roundcube webmailMatch0.120050820

roundcube webmailMatch0.120051007

roundcube webmailMatch0.120051021

roundcube webmailMatch0.1alpha

roundcube webmailMatch0.1beta

roundcube webmailMatch0.1beta2

roundcube webmailMatch0.1rc1

roundcube webmailMatch0.1rc2

roundcube webmailMatch0.1stable

roundcube webmailMatch0.1.1

roundcube webmailMatch0.2

roundcube webmailMatch0.2alpha

roundcube webmailMatch0.2beta

roundcube webmailMatch0.2stable

roundcube webmailMatch0.2.1

roundcube webmailMatch0.2.2

roundcube webmailMatch0.3

roundcube webmailMatch0.3beta

roundcube webmailMatch0.3rc1

roundcube webmailMatch0.3stable

roundcube webmailMatch0.3.1

roundcube webmailMatch0.4

roundcube webmailMatch0.4beta

roundcube webmailMatch0.4.1

roundcube webmailMatch0.4.2

roundcube webmailMatch0.5

roundcube webmailMatch0.5beta

roundcube webmailMatch0.5rc

roundcube webmailMatch0.5.1

roundcube webmailMatch0.5.2

roundcube webmailMatch0.5.3

roundcube webmailMatch0.5.4

roundcube webmailMatch0.6

roundcube webmailMatch0.7

roundcube webmailMatch0.7.1

roundcube webmailMatch0.8.0

roundcube webmailMatch0.8.1

roundcube webmailMatch0.8.2

roundcube webmailMatch0.8.3

roundcube webmailMatch0.8.4

roundcube webmailMatch0.8.5

Source	Link
habrahabr	www.habrahabr.ru/post/174423/
openwall	www.openwall.com/lists/oss-security/2013/03/28/8
lists	www.lists.opensuse.org/opensuse-updates/2013-04/msg00080.html
sourceforge	www.sourceforge.net/p/roundcubemail/news/2013/03/security-updates-086-and-073/
lists	www.lists.roundcube.net/pipermail/dev/2013-March/022328.html

Parameter	Position	Path	Description	CWE
_value	query param	index.php	Absolute path traversal via _value in generic_message_footer during a save-perf action.	CWE-22
generic_message_footer	query param	index.php	Absolute path traversal via _value in generic_message_footer during a save-perf action.	CWE-22
action	query param	index.php	Absolute path traversal via _value in generic_message_footer during a save-perf action.	CWE-22

29 Apr 2026 01:13Current

6.5Medium risk

Vulners AI Score6.5

CVSS 25

EPSS0.0034

CWE-22