CVE-2020-12641

CVSS 9.8 CRITICALEPSS 84.5%● KEVCWE-78

In short

Roundcube Webmail versions before 1.4.4 allow attackers to run malicious code by injecting shell commands through image conversion settings. This is critical because the vulnerable settings are often controlled or influenced by administrators, giving attackers a direct path to execute arbitrary commands on the server.

Technical detail

CWE-78 command injection vulnerability in rcube_image.php exploits unsanitized shell metacharacters in the im_convert_path or im_identify_path configuration parameters. An attacker with ability to modify these settings or influence their values can inject arbitrary shell commands that execute with the privileges of the web server process, leading to complete system compromise.

Summary generated and translated by AI from the official description.

rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

public PoCs found — 2

githubgithub.com/mbadanoiu/CVE-2020-12641★ 0 githubgithub.com/mbadanoiu/MAL-004★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12641-Command%20Injection-Roundcube https://github.com/roundcube/roundcubemail/commit/fcfb099477f353373c34c8a65c9035b06b364db3 https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4 https://github.com/roundcube/roundcubemail/releases/tag/1.4.4 https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10 https://security.gentoo.org/glsa/202007-41 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-12641