CVE-2018-9846 log

Source
Severity High
Remote Yes
Type Arbitrary command execution
Description
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.
Group Package Affected Fixed Severity Status Ticket
AVG-670 roundcubemail 1.3.5-1 1.3.6-1 High Fixed
Date Advisory Group Package Severity Description
19 Apr 2018 ASA-201804-8 AVG-670 roundcubemail High arbitrary command execution
References
https://github.com/roundcube/roundcubemail/issues/6229
https://github.com/roundcube/roundcubemail/issues/6238
https://medium.com/@ndrbasi/cve-2018-9846-roundcube-303097048b0a
https://roundcube.net/news/2018/04/11/security-update-1.3.6