BDU:2025-06366

Уязвимость почтового клиента RoundCube Webmail, связанная с недостатками механизма десериализации при обработке параметра _from, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.9) Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Severity: CRITICAL (9.0) Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

References:

CVE-2025-49113

Published: 2025-06-02
Modified: 2025-06-12

CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

Severity: CRITICAL (9.9) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References:

Version: 2.1.2

Package roundcube update in sisyphus_loongarch64 on 2025-06-19

ALT-PU-2025-8327-1

Closed vulnerabilities

BDU:2025-06366

CVE-2025-49113