All errata/sisyphus_riscv64/ALT-PU-2025-8311-1
ALT-PU-2025-8311-1

Package update roundcube in branch sisyphus_riscv64

Version1.6.11-alt1
Task#0
Published2025-06-19
Max severityCRITICAL
Severity:

Closed issues (2)

BDU:2025-06366
CRITICAL9.9

Уязвимость почтового клиента RoundCube Webmail, связанная с недостатками механизма десериализации при обработке параметра _from, позволяющая нарушителю выполнить произвольный код

Published: 2025-06-04Modified: 2026-04-21
CVSS 3.xCRITICAL 9.9
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS 2.0CRITICAL 9.0
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C
References
CVE-2025-49113
HIGH8.8

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

Published: 2025-06-02Modified: 2026-02-23
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References