CVE-2018-9846 log

Severity High
Remote Yes
Type Arbitrary command execution
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.
Group Package Affected Fixed Severity Status Ticket
AVG-670 roundcubemail 1.3.5-1 1.3.6-1 High Fixed
Date Advisory Group Package Severity Type
19 Apr 2018 ASA-201804-8 AVG-670 roundcubemail High arbitrary command execution