CVE-2024-37385

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions 1.5.0 through 1.5.6 Roundcube Webmail versions 1.6.0 through 1.6.6

Description The issue is related to an incomplete fix for a previous problem and allows command injection via im convert path and im identify path. This can potentially allow a remote attacker to elevate their privileges. The problem exists because of insufficient data cleaning at the management level.

Recommendations For Roundcube Webmail versions 1.5.0 through 1.5.6, update to version 1.5.7 or later. For Roundcube Webmail versions 1.6.0 through 1.6.6, update to version 1.6.7 or later. As a temporary workaround, consider restricting access to the im convert path and im identify path functions until a patch is available.