CVE-2011-1491 Information

Description

The login form in Roundcube Webmail before 0.5.1 does not properly handle a correctly authenticated but unintended login attempt which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker’s account and then compose an e-mail message related to a \login CSRF\ issue.

Reference

http://openwall.com/lists/oss-security/2011/03/24/3 http://openwall.com/lists/oss-security/2011/03/24/4 http://openwall.com/lists/oss-security/2011/04/04/50 http://trac.roundcube.net/changeset/4490 http://trac.roundcube.net/wiki/Changelog https://exchange.xforce.ibmcloud.com/vulnerabilities/66815