Описание
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Ссылки
- Third Party Advisory
- Patch
- Patch
- Patch
- Issue Tracking
- Release Notes
- Release Notes
- Vendor Advisory
- ExploitMitigationThird Party Advisory
- ExploitMitigationThird Party Advisory
- Mailing ListThird Party Advisory
- Mailing ListThird Party Advisory
Уязвимые конфигурации
Одно из
EPSS
9.9 Critical
CVSS3
8.8 High
CVSS3
Дефекты
Связанные уязвимости
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote ...
Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization
Уязвимость почтового клиента RoundCube Webmail, связанная с недостатками механизма десериализации при обработке параметра _from, позволяющая нарушителю выполнить произвольный код
EPSS
9.9 Critical
CVSS3
8.8 High
CVSS3