A vulnerability has been reported in RoundCube Webmail, which can be
exploited by malicious users to manipulate certain data.
The vulnerability is caused due to an error when handling the
"_session" parameter (steps/utils/save_pref.inc) during saving
preferences and can be exploited to overwrite configuration settings
and subsequently e.g. conduct SQL injection attacks.
Note: This can be exploited to execute arbitrary code in versions
prior to 0.8.7.
The vulnerability is reported in versions prior to 0.8.7 and 0.9.5.
Update to version 0.8.7 or 0.9.5.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.