Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube prior to 1.0.6 and 1.1.x prior to 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
roundcube roundcube webmail 1.1.1 |
||
roundcube roundcube webmail |
||
roundcube roundcube webmail 1.1.0 |