Severity: High
Date : 2018-04-19
CVE-ID : CVE-2018-9846
Package : roundcubemail
Type : arbitrary command execution
Remote : Yes
Link : https://security.archlinux.org/AVG-670
The package roundcubemail before version 1.3.6-1 is vulnerable to
arbitrary command execution.
Upgrade to 1.3.6-1.
The problem has been fixed upstream in version 1.3.6.
Disable the archive plugin.
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin
enabled and configured, it’s possible to exploit the unsanitized, user-
controlled “_uid” parameter (in an archive.php
_task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform
an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a
sequence. NOTE: this is less easily exploitable in 1.3.4 and later
because of a Same Origin Policy protection mechanism.
A remote attacker is able to execute arbitrary IMAP commands via a
specially crafted url.
https://github.com/roundcube/roundcubemail/issues/6229
https://github.com/roundcube/roundcubemail/issues/6238
https://medium.com/@ndrbasi/cve-2018-9846-roundcube-303097048b0a
https://roundcube.net/news/2018/04/11/security-update-1.3.6
https://security.archlinux.org/CVE-2018-9846
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | roundcubemail | < 1.3.6-1 | UNKNOWN |