Gentoo Linux Security Advisory 201402-15 - A vulnerability in Roundcube could result in arbitrary code execution, SQL injection, or reading of arbitrary files. Versions less than 0.9.5 are affected.
5be19c7fe318cdac4f395b199c65d5c4a701c798827254d2a3ea10f68f9f1b22
Mandriva Linux Security Advisory 2013-263 - It was discovered that roundcube does not properly sanitize the _session parameter in steps/utils/save_pref.inc during saving preferences. The vulnerability can be exploited to overwrite configuration settings and subsequently allowing random file access, manipulated SQL queries and even code execution. The updated packages have been patched to correct this issue.
8d50b6112b0546125f273c950799e408ec087e55a01ae26499b797a02f8ab996
Debian Linux Security Advisory 2787-1 - It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, does not properly sanitize the _session parameter in steps/utils/save_pref.inc during saving preferences. The vulnerability can be exploited to overwrite configuration settings and subsequently allowing random file access, manipulated SQL queries and even code execution.
16835cafc45de428b561f8da656aead6d60655755a053be0641fc356c2a3e1f6