Arch Linux alert ASA-202506-1 (roundcubemail)
| From: | Andrea Denisse <denisse@archlinux.org> | |
| To: | arch-security <arch-security@lists.archlinux.org> | |
| Subject: | [ASA-202506-1] roundcubemail: arbitrary code execution | |
| Date: | Fri, 13 Jun 2025 14:30:59 -0600 | |
| Message-ID: | <b147fe89bdf0a79717a3015b3ea775535729b0c5.camel@archlinux.org> | |
| Archive-link: | Article |
Arch Linux Security Advisory ASA-202506-1 ========================================= Severity: Critical Date : 2025-06-04 CVE-ID : CVE-2025-49113 Package : roundcubemail Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-2891 Summary ======= The package roundcubemail before version 1.6.11-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 1.6.11-1. # pacman -Syu "roundcubemail>=1.6.11-1" The problem has been fixed upstream in version 1.6.11. Workaround ========== None. Description =========== Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. Impact ====== A remote attacker with access to an authenticated Roundcube session can exploit a vulnerability leading to arbitrary code execution. References ========== https://roundcube.net/news/2025/06/01/security-updates-1.... https://www.cve.org/CVERecord?id=CVE-2025-49113 https://www.openwall.com/lists/oss-security/2025/06/02/3 https://github.com/roundcube/roundcubemail/pull/9865 https://security.archlinux.org/CVE-2025-49113