PT-2020-6925 · Unknown+4 · Roundcube Webmail+4

Mal

Published

2019-10-03

Updated

2026-03-12

CVE-2020-12641

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions prior to 1.4.4

Description The issue exists due to the lack of protection of the web page structure in the im convert path and im identify path functions of the rcube image.php file in Roundcube Webmail. This allows a remote attacker to execute arbitrary code via shell metacharacters in a configuration setting for im convert path or im identify path.

Recommendations To resolve the issue, upgrade to version 1.4.4 or later. As a temporary workaround, consider disabling the im convert path and im identify path functions in the rcube image.php file until a patch is available. Restrict access to the rcube image.php file to minimize the risk of exploitation.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

ALT-PU-2019-2818

ALT-PU-2019-2946

ALT-PU-2019-3109

ALT-PU-2020-1898

ALT-PU-2020-2097

ALT-PU-2020-2319

ALT-PU-2020-2367

ALT-PU-2020-2518

ALT-PU-2020-2554

ALT-PU-2020-3561

ALT-PU-2020-3566

ALT-PU-2021-3558

ALT-PU-2022-1073

ALT-PU-2025-1825

ALT-PU-2025-8283

BDU:2023-07518

BIT-ROUNDCUBE-2020-12641

CVE-2020-12641

OPENSUSE-SU-2020:1516-1

OPENSUSE-SU-2020_1516-1

OPENSUSE-SU-2022:10148-1

OPENSUSE-SU-2024:11303-1

USN-5182-1

Affected Products

Alt Linux

Linuxmint

Roundcube Webmail

Suse

Ubuntu

PT-2020-6925 · Unknown+4 · Roundcube Webmail+4

CVE-2020-12641

Weakness Enumeration

Related Identifiers

Affected Products

References · 73