CRITICAL🇵🇱 Wersja polska

CVE-2024-37385

CVSS 9.8v3.1pub. 2024-06-07upd. 2026-02-06

Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641.

🤖 AI Analysis
How it works

The vulnerability consists of insufficient validation and sanitization of paths to ImageMagick tools configured by the im_convert_path and im_identify_path parameters. An attacker can inject malicious system commands through these parameters, which are then executed by the server. The vulnerability exists due to an incomplete patch for the earlier CVE-2020-12641 vulnerability, meaning that the original protection mechanism proved insufficient in Windows environments.

Impact

An unauthenticated remote attacker can execute arbitrary system commands on the server hosting Roundcube Webmail, which may lead to complete system compromise, data theft, and violation of service integrity and availability.

Mitigation & patch

Roundcube Webmail should be updated to version 1.5.7 or 1.6.7. The fix is available in official project releases on GitHub (tags 1.5.7 and 1.6.7) and in commit 5ea9f37ce39374b6124586c0590fec7015d35d7f.

Who is affected

Roundcube Webmail in versions before 1.5.7 and in the 1.6.x branch before 1.6.7, running on Microsoft Windows systems

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Microsoft Windows

    OS
    Microsoft
    wszystkie wersje
  • Roundcube Webmail

    APP
    Roundcube
    < 1.5.71.6.0 – 1.6.7 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2024-7262CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows