Facebook
TwitterTITLE:
Roundcube security updates 1.3.3, 1.2.7 and 1.1.10 released
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:Plesk all versions
PROBLEM DESCRIPTION:Important security updates are released for Roundcube. Plesk should update their packages as well. Exploits are already seen in the wild.
We just published updates to all stable versions from 1.1.x onwards
delivering fixes for a recently discovered file disclosure
vulnerability in Roundcube Webmail.
Apparently this zero-day exploit is already being used by hackers to
read Roundcube’s configuration files. It requires a valid
username/password as the exploit only works with a valid session. More
details will be published soon under CVE-2017-16651.
See [Roundcube Announce] Security updates 1.3.3, 1.2.7 and 1.1.10 released
STEPS TO REPRODUCE:We just published updates to all stable versions from 1.1.x onwards
delivering fixes for a recently discovered file disclosure
vulnerability in Roundcube Webmail.
Apparently this zero-day exploit is already being used by hackers to
read Roundcube’s configuration files. It requires a valid
username/password as the exploit only works with a valid session. More
details will be published soon under CVE-2017-16651.
See [Roundcube Announce] Security updates 1.3.3, 1.2.7 and 1.1.10 released
Install Roundcube through Plesk
ACTUAL RESULT:Vulnerable version installed
EXPECTED RESULT:Security update applied
ANY ADDITIONAL INFORMATION:
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:Confirm bug
