Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641.
The vulnerability consists of insufficient validation and sanitization of paths to ImageMagick tools configured by the im_convert_path and im_identify_path parameters. An attacker can inject malicious system commands through these parameters, which are then executed by the server. The vulnerability exists due to an incomplete patch for the earlier CVE-2020-12641 vulnerability, meaning that the original protection mechanism proved insufficient in Windows environments.
An unauthenticated remote attacker can execute arbitrary system commands on the server hosting Roundcube Webmail, which may lead to complete system compromise, data theft, and violation of service integrity and availability.
Roundcube Webmail should be updated to version 1.5.7 or 1.6.7. The fix is available in official project releases on GitHub (tags 1.5.7 and 1.6.7) and in commit 5ea9f37ce39374b6124586c0590fec7015d35d7f.
Roundcube Webmail in versions before 1.5.7 and in the 1.6.x branch before 1.6.7, running on Microsoft Windows systems
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMicrosoft Windows
OSMicrosoftwszystkie wersjeRoundcube Webmail
APPRoundcube< 1.5.71.6.0 – 1.6.7 (bez)
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows