CVE-2020-12640
published 2020-05-04CVE-2020-12640: Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 1.4.4+dfsg.1-1 (bookworm) | roundcube 1.4.4+dfsg.1-1 (bookworm) |
| opensuse | backports_sle | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| roundcube | webmail | >= 1.2.0 < 1.2.10 | 1.2.10 |
| roundcube | webmail | >= 1.3.0 < 1.3.11 | 1.3.11 |
| roundcube | webmail | >= 1.4.0 < 1.4.4 | 1.4.4 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL