Main Vulnerability Database SB2018050221

SB2018050221 - Fedora EPEL 7 update for roundcubemail

Published: May 2, 2018 Updated: April 24, 2025

Security Bulletin ID SB2018050221

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Command injection (CVE-ID: CVE-2018-9846)

The vulnerability allows a remote attacker to execute arbitrary IMAP command.

The vulnerability exists in Roundcube when processing user-supplied data passed via the "_uid" HTTP GET parameter to archive.php script. A remote authenticated attacker can execute arbitrary IMAP command after "%0d%0a" characters.

Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to email messages of other users.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-ce811a54c9