https://github.com/mbadanoiu/cve-2020-12641

CVE-2020-12641: Command Injection via “_im_convert_path” Parameter in Roundcube Webmail
https://github.com/mbadanoiu/cve-2020-12641

0-day cve cve-2020-12641 cves remote-code-execution unauthenticated

Last synced: about 2 months ago
JSON representation

CVE-2020-12641: Command Injection via “_im_convert_path” Parameter in Roundcube Webmail

• Host: GitHub
• URL: https://github.com/mbadanoiu/cve-2020-12641
• Owner: mbadanoiu
• Created: 2024-04-08T19:48:16.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2024-04-08T19:57:27.000Z (about 1 year ago)
• Last Synced: 2025-01-12T09:29:28.642Z (4 months ago)
• Topics: 0-day, cve, cve-2020-12641, cves, remote-code-execution, unauthenticated
• Homepage:
• Size: 325 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# CVE-2020-12641: Command Injection via “_im_convert_path” Parameter in Roundcube Webmail

A Command Injection vulnerability exists in Roundcube versions before 1.4.4, 1.3.11 and 1.2.10.

Because the "_im_convert_path" does not perform sanitization/input filtering, an attacker with access to the Roundcube Installer can inject system commands in this parameter that will execute when any user opens any email containing a "non-standard" image.

### Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found [here](https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10).

### Requirements:

This vulnerability requires:




- Access to the Roundcube Webmail installer component

- Waiting for a Roundcube user to open an email containg a non-standard image

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2020-12641/blob/main/Roundcube%20Disclosures%20-%20CVE-2020-12641.pdf).