program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and
1.1.x before 1.1.2 allows remote authenticated users to read arbitrary
files via the _alt parameter when uploading a vCard.
Author | Note |
---|---|
msalvatore | It may not be safe to backport upstream’s patch for trusty as it may break functionality. |