CVE-2013-1904

Name	CVE-2013-1904
Description	Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setting in a save-perf action to index.php, as exploited in the wild in March 2013.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
roundcube (PTS)	bullseye (security), bullseye	1.4.15+dfsg.1-1+deb11u4	fixed
	bookworm, bookworm (security)	1.6.5+dfsg-1+deb12u4	fixed
	sid, trixie	1.6.9+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
roundcube	source	squeeze	(not affected)
roundcube	source	(unstable)	0.7.2-9

[squeeze] - roundcube <not-affected> (Vulnerable code not present)