CVE-2021-44026
CVE-2021-44026
In short
Roundcube webmail versions before 1.3.17 and 1.4.12 have a flaw in the search feature that allows attackers to inject malicious SQL commands. This could let an attacker steal emails, passwords, or other sensitive data from the mail server.
Technical detail
SQL injection vulnerability in Roundcube's search and search_params functionality allows unauthenticated or authenticated attackers to execute arbitrary SQL queries against the backend database. The attack vector leverages improper input sanitization in search parameters, potentially leading to data exfiltration, authentication bypass, or database manipulation.
Summary generated and translated by AI from the official description.
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 2
githubgithub.com/shanglyu/roundcube-cve-2021-44026★ 0githubgithub.com/skyllpro/CVE-2021-44026-PoC★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://bugs.debian.org/1000156https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfahttps://lists.debian.org/debian-lts-announce/2021/12/msg00004.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NDVGIZMQJ5IOM47Y3SAAJRN5VPANKTKO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TP3Y5RXTUUOUODNG7HFEKWYNIPIT2NL4/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44026https://www.debian.org/security/2021/dsa-5013