CVE-2017-16651

7.8 HIGH CISA KEV - Actively Exploited

Published: November 09, 2017 Modified: October 22, 2025

Description

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html

Source: cve@mitre.org

Exploit Third Party Advisory VDB Entry

http://www.securityfocus.com/bid/101793

Source: cve@mitre.org

Third Party Advisory VDB Entry

https://github.com/roundcube/roundcubemail/issues/6026

Source: cve@mitre.org

Issue Tracking Patch Third Party Advisory

https://github.com/roundcube/roundcubemail/releases/tag/1.1.10

Source: cve@mitre.org

Issue Tracking Release Notes Third Party Advisory

https://github.com/roundcube/roundcubemail/releases/tag/1.2.7

Source: cve@mitre.org

Issue Tracking Release Notes Third Party Advisory

https://github.com/roundcube/roundcubemail/releases/tag/1.3.3

Source: cve@mitre.org

Issue Tracking Release Notes Third Party Advisory

https://lists.debian.org/debian-lts-announce/2017/11/msg00039.html

Source: cve@mitre.org

Mailing List Third Party Advisory

https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10

Source: cve@mitre.org

Issue Tracking Vendor Advisory

https://www.debian.org/security/2017/dsa-4030

Source: cve@mitre.org

Issue Tracking Third Party Advisory

http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit Third Party Advisory VDB Entry

http://www.securityfocus.com/bid/101793

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory VDB Entry

https://github.com/roundcube/roundcubemail/issues/6026

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking Patch Third Party Advisory

https://github.com/roundcube/roundcubemail/releases/tag/1.1.10

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking Release Notes Third Party Advisory

https://github.com/roundcube/roundcubemail/releases/tag/1.2.7

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking Release Notes Third Party Advisory

https://github.com/roundcube/roundcubemail/releases/tag/1.3.3

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking Release Notes Third Party Advisory

https://lists.debian.org/debian-lts-announce/2017/11/msg00039.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory

https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking Vendor Advisory

https://www.debian.org/security/2017/dsa-4030

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-16651

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

19 reference(s) from NVD

Quick Stats

CVSS v3 Score

7.8 / 10.0

EPSS (Exploit Probability)

30.2%

97th percentile

Exploitation Status

Actively Exploited

Remediation due: 2022-05-03

Weaknesses (CWE)

CWE-552 CWE-552

Affected Vendors

debian roundcube

Related CVEs

CVE-2025-52691 10.0

CVE-2025-15168 7.3

CVE-2025-15167 7.3

CVE-2025-15166 7.3

CVE-2025-15165 7.3