|
|
|||
| Rule General Information |
|---|
| Release Date: | 2025-06-10 | |
| Rule Name: | Roundcube Webmail PHP Deserialization vulnerability (CVE-2025-49113) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. | |
| Impact: | An attacker can carefully construct malicious serialized data and pass it to the application, and execute the malicious code constructed by the attacker when the application deserializes the object. | |
| Affected OS: | Windows, Linux, Others | |
| Reference: | https://fearsoff.org/research/roundcube https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695 https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e |
|
| Solutions |
|---|
| Please refer to announcements or patches release by the vendor: https://github.com/roundcube/roundcubemail/releases |