CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2020-12641

CVSS 9.8v3.1pub. 2020-05-04upd. 2025-11-04

rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Opensuse Backports Sle

    APP
    Opensuse
    15.0
  • Opensuse Leap

    OS
    Opensuse
    15.115.2
  • Roundcube Webmail

    APP
    Roundcube
    1.2.0 – 1.2.10 (bez)1.3.0 – 1.3.11 (bez)1.4.0 – 1.4.4 (bez)

CISA KEV — detailsi

Vendori
Roundcube
Producti
Roundcube Webmail
Added to KEVi
June 22, 2023
Remediation deadline (US Federal)i
July 13, 2023(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Roundcube Webmail contains an remote code execution vulnerability that allows attackers to execute code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 13 lipca 2023
Tags
RCECommand Injection
CWE
References

Related vulnerabilities

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2024-42009CRITICAL9.3⚠ KEVPL ✓ten sam produkt

XSS w Roundcube Webmail umożliwiający kradzież i wysyłkę wiadomości e-mail

CVE-2021-44026CRITICAL9.8⚠ KEVten sam produkt

Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_par...

CVE-2020-16846CRITICAL9.8⚠ KEVten sam produkt

An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the...