CVE-2016-9920
published 2016-12-08CVE-2016-9920: steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not…
PriorityP350high7.5CVSS 3.0
AVNACHPRLUINSUCHIHAH
EPSS
5.62%
92.0th percentile
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 1.2.3+dfsg.1-1 (bookworm) | roundcube 1.2.3+dfsg.1-1 (bookworm) |
| roundcube | roundcube_webmail | >= 0 < 1.2~beta+dfsg.1-0ubuntu1+esm7 | 1.2~beta+dfsg.1-0ubuntu1+esm7 |
| roundcube | roundcube_webmail | >= 0 < 1.3.6+dfsg.1-1ubuntu0.1~esm7 | 1.3.6+dfsg.1-1ubuntu0.1~esm7 |
| roundcube | webmail | <= 1.1.6 | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for Roundcube sendmail invocations that include attacker-controlled envelope-from (-f) arguments on the sendmail command line, which can be abused for arbitrary code execution by authenticated users. ↗
- →Exploitation requires no SMTP server to be configured and the sendmail program to be enabled in Roundcube — alert on process spawns of sendmail from a Roundcube web process (e.g., php-fpm/apache) with unexpected -f flag values. ↗
- →Review upstream patches at the referenced GitHub commits for exact code-level diff to build precise file-integrity or YARA rules against vulnerable versions of steps/mail/sendmail.inc. ↗
- ·Vulnerability is only exploitable when Roundcube is configured to use the local sendmail binary (no SMTP server configured). Instances using an SMTP server are not affected. ↗
- ·Exploitation requires the attacker to be a remote authenticated user — unauthenticated exploitation is not possible. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Roundcube Webmail vulnerabilities
vendor_ubuntu·2026-03-30·CVSS 6.1
CVE-2018-19205 [MEDIUM] Roundcube Webmail vulnerabilities
Title: Roundcube Webmail vulnerabilities
Summary: Several security issues were fixed in Roundcube Webmail.
It was discovered that Roundcube Webmail did not properly sanitize
certain HTML elements within the e-mail body. An attacker could possibly
use this issue to cause a cross-site scripting attack. This issue was only
addressed in Ubuntu 16.04 LTS. (CVE-2016-4068, CVE-2016-4069)
It was discovered that Roundcube Webmail did not properly handle certain
configuration parameters. An attacker could possibly use this issue to
execute arbitrary code. This issue was only addressed in Ubuntu 16.04 LTS.
(CVE-2016-9920)
It was discovered that Roundcube Webmail did not properly sanitize CSS styles
within SVG documents. An attacker could possibly use this issue to cause
a cross-site scripting att
Debian
CVE-2016-9920: roundcube - steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when n...
vendor_debian·2016·CVSS 7.5
CVE-2016-9920 [HIGH] CVE-2016-9920: roundcube - steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when n...
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.
Scope: local
bookworm: resolved (fixed in 1.2.3+dfsg.1-1)
bullseye: resolved (fixed in 1.2.3+dfsg.1-1)
forky: resolved (fixed in 1.2.3+dfsg.1-1)
sid: resolved (fixed in 1.2.3+dfsg.1-1)
trixie: resolved (fixed in 1.2.3+dfsg.1-1)
OSV
roundcube vulnerabilities
osv·2026-03-30·CVSS 6.1
CVE-2016-4068 [MEDIUM] roundcube vulnerabilities
roundcube vulnerabilities
It was discovered that Roundcube Webmail did not properly sanitize
certain HTML elements within the e-mail body. An attacker could possibly
use this issue to cause a cross-site scripting attack. This issue was only
addressed in Ubuntu 16.04 LTS. (CVE-2016-4068, CVE-2016-4069)
It was discovered that Roundcube Webmail did not properly handle certain
configuration parameters. An attacker could possibly use this issue to
execute arbitrary code. This issue was only addressed in Ubuntu 16.04 LTS.
(CVE-2016-9920)
It was discovered that Roundcube Webmail did not properly sanitize CSS styles
within SVG documents. An attacker could possibly use this issue to cause
a cross-site scripting attack. This issue was only addressed in Ubuntu 16.04 LTS.
(CVE-2017-6820)
It was di
GHSA
GHSA-f59r-7mfp-ww98: steps/mail/sendmail
ghsa_unreviewed·2022-05-17
CVE-2016-9920 [HIGH] CWE-284 GHSA-f59r-7mfp-ww98: steps/mail/sendmail
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.
OSV
CVE-2016-9920: steps/mail/sendmail
osv·2016-12-08·CVSS 7.5
CVE-2016-9920 [HIGH] CVE-2016-9920: steps/mail/sendmail
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-9920 roundcubemail: Code execution via mail()
bugzilla·2016-12-09·CVSS 7.5
CVE-2016-9920 [HIGH] CVE-2016-9920 roundcubemail: Code execution via mail()
CVE-2016-9920 roundcubemail: Code execution via mail()
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before
1.2.3, when no SMTP server is configured and the sendmail program is
enabled, does not properly restrict the use of custom envelope-from
addresses on the sendmail command line, which allows remote
authenticated users to execute arbitrary code via a modified HTTP
request that sends a crafted e-mail message.
References:
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-released
Upstream patches:
https://github.com/roundcube/roundcubemail/commit/aa6bf38843f51a0fc7205acc98a7b84f3c4c9c4f
https://github.com/roundcube/roundcubemail/commit/45a3e81653eb6ad3685d1a9ab817a61df78178eb
CVE assignm
Bugzilla
CVE-2016-9920 roundcubemail: Code execution via mail() [epel-all]
bugzilla·2016-12-09·CVSS 7.5
CVE-2016-9920 [HIGH] CVE-2016-9920 roundcubemail: Code execution via mail() [epel-all]
CVE-2016-9920 roundcubemail: Code execution via mail() [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora
Bugzilla
CVE-2016-9920 roundcubemail: Code execution via mail() [fedora-all]
bugzilla·2016-12-09·CVSS 7.5
CVE-2016-9920 [HIGH] CVE-2016-9920 roundcubemail: Code execution via mail() [fedora-all]
CVE-2016-9920 roundcubemail: Code execution via mail() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. Wh
http://www.openwall.com/lists/oss-security/2016/12/08/10http://www.securityfocus.com/bid/94858https://blog.ripstech.com/2016/roundcube-command-execution-via-email/https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-releasedhttps://security.gentoo.org/glsa/201612-44http://www.openwall.com/lists/oss-security/2016/12/08/10http://www.securityfocus.com/bid/94858https://blog.ripstech.com/2016/roundcube-command-execution-via-email/https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-releasedhttps://security.gentoo.org/glsa/201612-44
2016-12-08
Published