9.8

CVE-2020-12641

Warnung
Exploit

rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RoundcubeWebmail Version >= 1.2.0 < 1.2.10
RoundcubeWebmail Version >= 1.3.0 < 1.3.11
RoundcubeWebmail Version >= 1.4.0 < 1.4.4
OpensuseBackports Sle Version15.0 Updatesp1
OpensuseBackports Sle Version15.0 Updatesp2
OpensuseLeap Version15.1
OpensuseLeap Version15.2

22.06.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Roundcube Webmail Remote Code Execution Vulnerability

Schwachstelle

Roundcube Webmail contains an remote code execution vulnerability that allows attackers to execute code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 93.07% 0.998
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.