VIR Vulnerability Intelligence Relay

CVE-2013-6172

high
Published 2013-11-05 · Modified 2026-04-29
CVSS v3
CVSS v2
7.5
VIR risk
7.5

Description

steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2013-6172

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://trac.roundcube.net/ticket/1489382

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://roundcube.net/news/2013/10/21/security-updates-095-and-087/

OS impact
OSVersionStatusFixed in
debian debianbookwormfixed0.9.4-1.1
debian debianbullseyefixed0.9.4-1.1
debian debiansidfixed0.9.4-1.1
debian debiantrixiefixed0.9.4-1.1

Application impact
VendorProductVersionsFixed
roundcubewebmail{"endIncluding":"0.8.6"}
roundcubewebmail0.1
roundcubewebmail0.1.1
roundcubewebmail0.2
roundcubewebmail0.2.1
roundcubewebmail0.2.2
roundcubewebmail0.3
roundcubewebmail0.3.1
roundcubewebmail0.4
roundcubewebmail0.4.1
roundcubewebmail0.4.2
roundcubewebmail0.5
roundcubewebmail0.5.1
roundcubewebmail0.5.2
roundcubewebmail0.5.3
roundcubewebmail0.5.4
roundcubewebmail0.6
roundcubewebmail0.7
roundcubewebmail0.7.1
roundcubewebmail0.7.2
roundcubewebmail0.7.3
roundcubewebmail0.8.0
roundcubewebmail0.8.1
roundcubewebmail0.8.2
roundcubewebmail0.8.3
roundcubewebmail0.8.4
roundcubewebmail0.8.5
roundcubewebmail0.9
roundcubewebmail0.9.0
roundcubewebmail0.9.1
roundcubewebmail0.9.2
roundcubewebmail0.9.3
roundcubewebmail0.9.4

References

CWEs

CWE-89

Verify integrity in audit chain (admin only). AS-IS.