CVE-2018-9846
published 2018-04-07CVE-2018-9846: In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid"…
PriorityP344high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
2.29%
81.0th percentile
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | roundcube | < roundcube 1.3.6+dfsg.1-1 (bookworm) | roundcube 1.3.6+dfsg.1-1 (bookworm) |
| roundcube | roundcube_webmail | >= 0 < 1.2~beta+dfsg.1-0ubuntu1+esm7 | 1.2~beta+dfsg.1-0ubuntu1+esm7 |
| roundcube | roundcube_webmail | >= 0 < 1.3.6+dfsg.1-1ubuntu0.1~esm7 | 1.3.6+dfsg.1-1ubuntu0.1~esm7 |
| roundcube | webmail | 1.2.0 – 1.3.5 | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
roundcube vulnerabilities
osv·2026-03-30·CVSS 6.1
CVE-2016-4068 [MEDIUM] roundcube vulnerabilities
roundcube vulnerabilities
It was discovered that Roundcube Webmail did not properly sanitize
certain HTML elements within the e-mail body. An attacker could possibly
use this issue to cause a cross-site scripting attack. This issue was only
addressed in Ubuntu 16.04 LTS. (CVE-2016-4068, CVE-2016-4069)
It was discovered that Roundcube Webmail did not properly handle certain
configuration parameters. An attacker could possibly use this issue to
execute arbitrary code. This issue was only addressed in Ubuntu 16.04 LTS.
(CVE-2016-9920)
It was discovered that Roundcube Webmail did not properly sanitize CSS styles
within SVG documents. An attacker could possibly use this issue to cause
a cross-site scripting attack. This issue was only addressed in Ubuntu 16.04 LTS.
(CVE-2017-6820)
It was di
GHSA
GHSA-3v75-9ch3-wfrw: In Roundcube from versions 1
ghsa_unreviewed·2022-05-14
CVE-2018-9846 [HIGH] CWE-20 GHSA-3v75-9ch3-wfrw: In Roundcube from versions 1
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.
OSV
CVE-2018-9846: In Roundcube from versions 1
osv·2018-04-07·CVSS 8.8
CVE-2018-9846 [HIGH] CVE-2018-9846: In Roundcube from versions 1
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.
Ubuntu
Roundcube Webmail vulnerabilities
vendor_ubuntu·2026-03-30·CVSS 6.1
CVE-2018-19205 [MEDIUM] Roundcube Webmail vulnerabilities
Title: Roundcube Webmail vulnerabilities
Summary: Several security issues were fixed in Roundcube Webmail.
It was discovered that Roundcube Webmail did not properly sanitize
certain HTML elements within the e-mail body. An attacker could possibly
use this issue to cause a cross-site scripting attack. This issue was only
addressed in Ubuntu 16.04 LTS. (CVE-2016-4068, CVE-2016-4069)
It was discovered that Roundcube Webmail did not properly handle certain
configuration parameters. An attacker could possibly use this issue to
execute arbitrary code. This issue was only addressed in Ubuntu 16.04 LTS.
(CVE-2016-9920)
It was discovered that Roundcube Webmail did not properly sanitize CSS styles
within SVG documents. An attacker could possibly use this issue to cause
a cross-site scripting att
Debian
CVE-2018-9846: roundcube - In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and c...
vendor_debian·2018·CVSS 8.8
CVE-2018-9846 [HIGH] CVE-2018-9846: roundcube - In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and c...
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.
Scope: local
bookworm: resolved (fixed in 1.3.6+dfsg.1-1)
bullseye: resolved (fixed in 1.3.6+dfsg.1-1)
forky: resolved (fixed in 1.3.6+dfsg.1-1)
sid: resolved (fixed in 1.3.6+dfsg.1-1)
trixie: resolved (fixed in 1.3.6+dfsg.1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-9846 roundcubemail: MX injection in archive.php [epel-all]
bugzilla·2018-04-12·CVSS 8.8
CVE-2018-9846 [HIGH] CVE-2018-9846 roundcubemail: MX injection in archive.php [epel-all]
CVE-2018-9846 roundcubemail: MX injection in archive.php [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora E
Bugzilla
CVE-2018-9846 roundcubemail: MX injection in archive.php
bugzilla·2018-04-12·CVSS 8.8
CVE-2018-9846 [HIGH] CVE-2018-9846 roundcubemail: MX injection in archive.php
CVE-2018-9846 roundcubemail: MX injection in archive.php
A flaw was found in Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.
References:
https://github.com/roundcube/roundcubemail/issues/6229
https://github.com/roundcube/roundcubemail/issues/6238
https://medium.com/@ndrbasi/cve-2018-9846-roundcube-303097048b0a
Patch:
https://github.com/roundcube/roundcubemail/commit/e3dd5b66d236867572e68fcb80281
https://github.com/roundcube/roundcubemail/issues/6229https://github.com/roundcube/roundcubemail/issues/6238https://medium.com/%40ndrbasi/cve-2018-9846-roundcube-303097048b0ahttps://www.debian.org/security/2018/dsa-4181https://github.com/roundcube/roundcubemail/issues/6229https://github.com/roundcube/roundcubemail/issues/6238https://medium.com/%40ndrbasi/cve-2018-9846-roundcube-303097048b0ahttps://www.debian.org/security/2018/dsa-4181
2018-04-07
Published