ALT Linux Team

Package roundcube update in sisyphus_riscv64 on 2025-06-19

ALT-PU-2025-8311-1

Package roundcube updated to version 1.6.11-alt1 for branch sisyphus_riscv64.

Closed vulnerabilities

Published: 2025-06-01

BDU:2025-06366

Уязвимость почтового клиента RoundCube Webmail, связанная с недостатками механизма десериализации при обработке параметра _from, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.9) Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity: CRITICAL (9.0) Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
References:
Published: 2025-06-02
Modified: 2025-06-12

CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

Severity: CRITICAL (9.9) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top