oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Roundcube webmail: Post-Auth RCE via PHP Object Deserialization reported by firs0v

From: Anton Luka Šijanec <anton () sijanec eu>
Date: Mon, 2 Jun 2025 08:42:55 +0200
Hanno Böck je 2. 6. 25 ob 07:26 napisal:

Roundcube just published an update that appears to contain an important
security fix:
https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10

"Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v."

Even though it says "Post-Auth", impact is likely high, as for a
webmailer, it is a very common scenario that many people are
potentially authenticated. (And it may just be another XSS away from
non-authenticated RCE.)



I believe this is

https://www.cve.org/CVERecord?id=CVE-2025-49113

CVE-2025-49113 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H score 9.9
Previous By Date Next
Previous By Thread Next

Current thread: