Roundcube Webmail Vulnerability Allows Command Injection via im_convert_path and im_identify_path
CVE-2024-37385

9.8CRITICAL

Key Information:

Vendor: Roundcube Webmail
Status: Webmail
Vendor: CVE Published:; 7 June 2024

What is CVE-2024-37385?

Roundcube Webmail versions prior to 1.5.7 and earlier 1.6.x releases, specifically those before 1.6.7, exhibit a vulnerability that allows command injection through the parameters im_convert_path and im_identify_path. This issue arises from an incomplete fix for a previous vulnerability, making it crucial for users to update to the latest version to mitigate security risks. Users operating on Windows platforms are particularly affected by this vulnerability, which could lead to unauthorized command execution and compromise system integrity.

References

https://github.com/roundcube/roundcubemail/releases/tag/1...

https://github.com/roundcube/roundcubemail/commit/5ea9f37...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 7, 2024