BDU:2025-06366

Уязвимость почтового клиента RoundCube Webmail, связанная с недостатками механизма десериализации при обработке параметра _from, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.9) Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Severity: CRITICAL (9.0) Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

References:

CVE-2025-49113

Published: 2025-06-02
Modified: 2025-06-12

CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

Severity: CRITICAL (9.9) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References:

Package portainer-agent updated to version 2.31.1-alt1 for branch sisyphus_loongarch64.

Published: 2025-04-04

BDU:2025-04014

Уязвимость пакета net/http языка программирования Go, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.1) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: CRITICAL (9.4) Vector: AV:N/AC:L/Au:N/C:C/I:C/A:N

References:

CVE-2025-22871

Published: 2025-04-08
Modified: 2025-04-18

CVE-2025-22871

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Severity: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Version: 2.1.2

Branch sisyphus_loongarch64 update on 2025-06-19

ALT-BU-2025-8330-1

ALT-PU-2025-8327-1

Closed vulnerabilities

BDU:2025-06366

CVE-2025-49113

ALT-PU-2025-8329-1

Closed vulnerabilities

BDU:2025-04014

CVE-2025-22871