Hi all,
Today a security update was released for a critical vulnerability in Roundcube webmail. Updated versions (0.9.5 and 0.8.7) are already available on their website, and they also offer patches. If you are using Plesk 11.5.30 you have to rely on the response from Parallels, as of yet they have not offered an update which fixes this vulnerability.
- Download the new versions from http://roundcube.net/download
- Patch for 0.9.x: https://github.com/roundcube/roundcubem ... b26ce.diff
- Patch for 0.8.x: https://github.com/roundcube/roundcubem ... aa33c.diff
- Patch for 0.7.x: https://github.com/roundcube/roundcubem ... 37274.diff
More details will soon be published under CVE-2013-6172.
Is ASL already protecting against this issue via their WAF rules? Possibly other ASL protection will also mitigate an attack exploiting this vulnerability.
CVE-2013-6172 in Roundcube (0.9.x, 0.8.x, 0.7.x)
CVE-2013-6172 in Roundcube (0.9.x, 0.8.x, 0.7.x)
Lemonbit Internet Dedicated Server Management