Description
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.
Exploits (1)
References (5)
Core 5
Core References
Exploit, Third Party Advisory x_refsource_misc
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/94858
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/12/08/10
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201612-44
Release Notes, Vendor Advisory x_refsource_confirm
https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-released
Scores
CVSS v3
7.5
EPSS
0.3830
EPSS Percentile
97.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-284
Status
published
Products (4)
roundcube/webmail
1.2.0
roundcube/webmail
1.2.1
roundcube/webmail
1.2.2
roundcube/webmail
< 1.1.6
Published
Dec 08, 2016
Tracked Since
Feb 18, 2026