[manjaro-security] [ASA-202506-1] roundcubemail: arbitrary code execution
Andrea Denisse
denisse at archlinux.org
Fri Jun 13 22:30:59 CEST 2025
Arch Linux Security Advisory ASA-202506-1
=========================================
Severity: Critical
Date : 2025-06-04
CVE-ID : CVE-2025-49113
Package : roundcubemail
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2891
Summary
=======
The package roundcubemail before version 1.6.11-1 is vulnerable to
arbitrary code execution.
Resolution
==========
Upgrade to 1.6.11-1.
# pacman -Syu "roundcubemail>=1.6.11-1"
The problem has been fixed upstream in version 1.6.11.
Workaround
==========
None.
Description
===========
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote
code execution by authenticated users because the _from parameter in a
URL is not validated in program/actions/settings/upload.php, leading to
PHP Object Deserialization.
Impact
======
A remote attacker with access to an authenticated Roundcube session can
exploit a vulnerability leading to arbitrary code execution.
References
==========
https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
https://www.cve.org/CVERecord?id=CVE-2025-49113
https://www.openwall.com/lists/oss-security/2025/06/02/3
https://github.com/roundcube/roundcubemail/pull/9865
https://security.archlinux.org/CVE-2025-49113
More information about the manjaro-security
mailing list