Roundcube Webmail is vulnerable to unauthorized access. An attacker can access arbitrary files on the host’s filesystem, including configuration files due to a flaw related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html
www.securityfocus.com/bid/101793
github.com/roundcube/roundcubemail/issues/6026
github.com/roundcube/roundcubemail/releases/tag/1.1.10
github.com/roundcube/roundcubemail/releases/tag/1.2.7
github.com/roundcube/roundcubemail/releases/tag/1.3.3
lists.debian.org/debian-lts-announce/2017/11/msg00039.html
roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10
www.debian.org/security/2017/dsa-4030