Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2020-12641

Published: 04/05/2020 Updated: 29/04/2022
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Webmail

Vulnerability Summary

rcube_image.php in Roundcube Webmail prior to 1.4.4 allows malicious users to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

roundcube webmail

opensuse leap 15.1

opensuse backports sle 15.0

opensuse leap 15.2

Github Repositories

https://github.com/mbadanoiu/MAL-004

MAL-004: Command Injection Bypass for CVE-2020-12641 in Roundcube Webmail

MAL-004: Command Injection Bypass for CVE-2020-12641 in Roundcube Webmail A bypass was found for "CVE-2020-12641: Command Injection via "_im_convert_path" in Roundcube Webmail" affecting versions before 145, 1312 The php “escapeshellcmd” function, implemented to prevent “CVE-2020-12641: Command Injection via “_im_convert_path&rdq

https://github.com/mbadanoiu/CVE-2020-12641

CVE-2020-12641: Command Injection via “_im_convert_path” Parameter in Roundcube Webmail

CVE-2020-12641: Command Injection via “_im_convert_path” Parameter in Roundcube Webmail A Command Injection vulnerability exists in Roundcube versions before 144, 1311 and 1210 Because the "_im_convert_path" does not perform sanitization/input filtering, an attacker with access to the Roundcube Installer can inject system commands in this parameter

Recent Articles

Advanced threat predictions for 2024
Securelist • GReAT • 14 Nov 2023

Advanced persistent threats (APTs) are the most dangerous threats, as they employ complex tools and techniques, and often are highly targeted and hard to detect. Amid the global crisis and escalating geopolitical confrontations, these sophisticated cyberattacks are even more dangerous, as there is often more at stake. At Kaspersky’s Global Research and Analysis Team (GReAT), we monitor a number of APT groups, analyze trends and try to anticipate their future developments to keep ahead of the e...

Read more...

References

CWE-78https://github.com/roundcube/roundcubemail/releases/tag/1.4.4https://github.com/roundcube/roundcubemail/commit/fcfb099477f353373c34c8a65c9035b06b364db3https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12641-Command%20Injection-Roundcubehttps://security.gentoo.org/glsa/202007-41http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.htmlhttps://nvd.nist.govhttps://github.com/mbadanoiu/MAL-004https://securelist.com/kaspersky-security-bulletin-apt-predictions-2024/111048/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
encryptionCVE-2024-4331CVE-2024-26925arbitrary codeCVE-2006-4304CVE-2024-25458CVE-2024-27077reflected XSSCVE-2024-4059
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook