Remote Code Execution in Roundcube Password Plugin by Tech Company
CVE-2015-2180

8.8HIGH

Key Information:

Vendor: Roundcube
Status: Webmail
Vendor: CVE Published:; 30 January 2017

What is CVE-2015-2180?

The Password plugin in Roundcube, specifically its DBMail driver, is susceptible to a remote code execution vulnerability. Before version 1.1.0, malicious users can exploit this weakness by injecting shell metacharacters into the password field, thereby executing arbitrary commands on the server. This flaw poses significant security risks, as it can allow attackers to gain control over the system, potentially leading to unauthorized data access and further exploitation.

References

http://www.securityfocus.com/bid/96387

vdb-entryx_refsource_BID

https://github.com/roundcube/roundcubemail/issues/4757

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 30, 2017
Vulnerability Reserved
Mar 2, 2015