| Name | CVE-2015-8794 |
| Description | Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| roundcube (PTS) | bullseye | 1.4.15+dfsg.1-1+deb11u4 | fixed |
| bullseye (security) | 1.4.15+dfsg.1-1+deb11u5 | fixed |
| bookworm, bookworm (security) | 1.6.5+dfsg-1+deb12u5 | fixed |
| forky, sid, trixie | 1.6.11+dfsg-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| roundcube | source | squeeze | (not affected) | | | |
| roundcube | source | wheezy | (not affected) | | | |
| roundcube | source | (unstable) | 1.1.2+dfsg.1-1 | | | |
Notes
[wheezy] - roundcube <not-affected> (Vulnerable code not present)
[squeeze] - roundcube <not-affected> (Vulnerable code not present)
http://www.scip.ch/en/?vuldb.80732
http://web.archive.org/web/20160329044745/http://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released
http://trac.roundcube.net/ticket/1490379