CVE-2020-12641
published 2020-05-04CVE-2020-12641: rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-07-13
Exploited in the wild
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 1.4.4+dfsg.1-1 (bookworm) | roundcube 1.4.4+dfsg.1-1 (bookworm) |
| debian | roundcube | — | — |
| opensuse | backports_sle | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| roundcube | webmail | < 1.5.7 | 1.5.7 |
| roundcube | webmail | >= 1.2.0 < 1.2.10 | 1.2.10 |
| roundcube | webmail | >= 1.3.0 < 1.3.11 | 1.3.11 |
| roundcube | webmail | >= 1.4.0 < 1.4.4 | 1.4.4 |
| roundcube | webmail | >= 1.6.0 < 1.6.7 | 1.6.7 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL