oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Roundcube webmail: Post-Auth RCE via PHP Object Deserialization reported by firs0v

From: Hanno Böck <hanno () hboeck de>
Date: Mon, 2 Jun 2025 07:26:47 +0200
Hi,

Roundcube just published an update that appears to contain an important
security fix:
https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10

"Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v."

Even though it says "Post-Auth", impact is likely high, as for a
webmailer, it is a very common scenario that many people are
potentially authenticated. (And it may just be another XSS away from
non-authenticated RCE.)

-- 
Hanno Böck - Independent security researcher
https://itsec.hboeck.de/
https://badkeys.info/
Previous By Date Next
Previous By Thread Next

Current thread: