All errata/c10f2/ALT-PU-2025-8287-4
ALT-PU-2025-8287-4

Package update roundcube in branch c10f2

Version1.6.11-alt1
Task#387597
Published2026-02-04
Max severityCRITICAL
Severity:

Closed issues (9)

BDU:2024-06146
CRITICAL9.3

Уязвимость функции message_body() файла program/actions/mail/show.php почтового клиента RoundCube Webmail, позволяющая нарушителю получить полный доступ к электронной почте путём отправки специально сформированного сообщения

Published: 2024-08-12Modified: 2025-06-16
CVSS 3.xCRITICAL 9.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CVSS 2.0CRITICAL 9.4
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:N
References
BDU:2024-06254
MEDIUM6.1

Уязвимость функции rcmail_action_mail_get->run() почтового клиента RoundCube Webmail, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

Published: 2024-08-16Modified: 2024-09-02
CVSS 3.xMEDIUM 6.1
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 2.0MEDIUM 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
References
BDU:2024-06665
HIGH7.5

Уязвимость функции mod_css_styles компонента Cascading Style Sheet Handler почтового клиента RoundCube, позволяющая нарушителю раскрыть конфиденциальную информацию

Published: 2024-09-03Modified: 2024-12-03
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N
References
BDU:2025-06366
CRITICAL9.9

Уязвимость почтового клиента RoundCube Webmail, связанная с недостатками механизма десериализации при обработке параметра _from, позволяющая нарушителю выполнить произвольный код

Published: 2025-06-04Modified: 2026-04-21
CVSS 3.xCRITICAL 9.9
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS 2.0CRITICAL 9.0
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C
References
CVE-2024-42008
CRITICAL9.3

A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.

Published: 2024-08-05Modified: 2025-03-13
CVSS 3.xCRITICAL 9.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
References
CVE-2024-42009
CRITICAL9.3

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.

Published: 2024-08-05Modified: 2025-11-04
CVSS 3.xCRITICAL 9.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
References
CVE-2024-42010
HIGH7.5

mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information.

Published: 2024-08-05Modified: 2026-04-15
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References
CVE-2025-49113
HIGH8.8

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

Published: 2025-06-02Modified: 2026-02-23
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
GHSA-8j8w-wwqc-x596
CRITICAL9.9

Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization

Published: 2025-06-02Modified: 2026-02-21
CVSS 3.xCRITICAL 9.9
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References