CVE-2016-4069 - Vulnerability Details - OpenCVE

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Opensuse	Leap
Roundcube	Webmail

Configuration 1 [-]

cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html
http://www.openwall.com/lists/oss-security/2016/04/23/4
http://www.securityfocus.com/bid/92654
https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5
https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53
https://github.com/roundcube/roundcubemail/issues/4957
https://github.com/roundcube/roundcubemail/releases/tag/1.1.5
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115

History

No history.

MITRE

Status: PUBLISHED

Assigner: debian

Published: 2016-08-25T18:00:00

Updated: 2024-08-06T00:17:30.803Z

Reserved: 2016-04-23T00:00:00

Link: CVE-2016-4069

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2016-08-25T18:59:00.097

Modified: 2025-04-12T10:46:40.837

Link: CVE-2016-4069

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-01-16T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-11-25T19:57:01", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"name": "92654", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/92654"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/roundcube/roundcubemail/issues/4957"}, {"name": "openSUSE-SU-2016:2109", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"}, {"name": "[oss-security] 20160423 Re: CVE Request: Roundcube: XSS issue in SVG image handling and protection for download urs against CSRF", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/04/23/4"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "ID": "CVE-2016-4069", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "92654", "refsource": "BID", "url": "http://www.securityfocus.com/bid/92654"}, {"name": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115", "refsource": "CONFIRM", "url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"}, {"name": "https://github.com/roundcube/roundcubemail/issues/4957", "refsource": "CONFIRM", "url": "https://github.com/roundcube/roundcubemail/issues/4957"}, {"name": "openSUSE-SU-2016:2109", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"}, {"name": "[oss-security] 20160423 Re: CVE Request: Roundcube: XSS issue in SVG image handling and protection for download urs against CSRF", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/04/23/4"}, {"name": "https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5", "refsource": "CONFIRM", "url": "https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5"}, {"name": "https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53", "refsource": "CONFIRM", "url": "https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53"}, {"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5", "refsource": "CONFIRM", "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T00:17:30.803Z"}, "title": "CVE Program Container", "references": [{"name": "92654", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/92654"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/roundcube/roundcubemail/issues/4957"}, {"name": "openSUSE-SU-2016:2109", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"}, {"name": "[oss-security] 20160423 Re: CVE Request: Roundcube: XSS issue in SVG image handling and protection for download urs against CSRF", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/04/23/4"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"}]}]}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2016-4069", "datePublished": "2016-08-25T18:00:00", "dateReserved": "2016-04-23T00:00:00", "dateUpdated": "2024-08-06T00:17:30.803Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*", "matchCriteriaId": "4863BE36-D16A-4D75-90D9-FD76DB5B48B7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "matchCriteriaId": "01EF6262-F377-47C1-8929-3A099A85FFBA", "versionEndIncluding": "1.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors."}, {"lang": "es", "value": "Vulnerabilidad de CSRF en Roundcube Webmail en versiones anteriores a1.1.5 permite a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios para peticiones que descargan archivos adjuntos y provocar una denegaci\u00f3n del servicio (consumo del disco) a trav\u00e9s de vectores no especificados."}], "id": "CVE-2016-4069", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-08-25T18:59:00.097", "references": [{"source": "security@debian.org", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"}, {"source": "security@debian.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/04/23/4"}, {"source": "security@debian.org", "url": "http://www.securityfocus.com/bid/92654"}, {"source": "security@debian.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5"}, {"source": "security@debian.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53"}, {"source": "security@debian.org", "tags": ["Issue Tracking", "Mailing List"], "url": "https://github.com/roundcube/roundcubemail/issues/4957"}, {"source": "security@debian.org", "tags": ["Release Notes"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"}, {"source": "security@debian.org", "tags": ["Release Notes"], "url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/04/23/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/92654"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mailing List"], "url": "https://github.com/roundcube/roundcubemail/issues/4957"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}