ASA-202506-1 log raw

[ASA-202506-1] roundcubemail: arbitrary code execution
Arch Linux Security Advisory ASA-202506-1 ========================================= Severity: Critical Date : 2025-06-04 CVE-ID : CVE-2025-49113 Package : roundcubemail Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-2891 Summary ======= The package roundcubemail before version 1.6.11-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 1.6.11-1. # pacman -Syu "roundcubemail>=1.6.11-1" The problem has been fixed upstream in version 1.6.11. Workaround ========== None. Description =========== Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. Impact ====== A remote attacker with access to an authenticated Roundcube session can exploit a vulnerability leading to arbitrary code execution. References ========== https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 https://www.cve.org/CVERecord?id=CVE-2025-49113 https://www.openwall.com/lists/oss-security/2025/06/02/3 https://github.com/roundcube/roundcubemail/pull/9865 https://security.archlinux.org/CVE-2025-49113

[ASA-202506-1] roundcubemail: arbitrary code execution

Arch Linux Security Advisory ASA-202506-1 ========================================= Severity: Critical Date : 2025-06-04 CVE-ID : CVE-2025-49113 Package : roundcubemail Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-2891 Summary ======= The package roundcubemail before version 1.6.11-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 1.6.11-1. # pacman -Syu "roundcubemail>=1.6.11-1" The problem has been fixed upstream in version 1.6.11. Workaround ========== None. Description =========== Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. Impact ====== A remote attacker with access to an authenticated Roundcube session can exploit a vulnerability leading to arbitrary code execution. References ========== https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 https://www.cve.org/CVERecord?id=CVE-2025-49113 https://www.openwall.com/lists/oss-security/2025/06/02/3 https://github.com/roundcube/roundcubemail/pull/9865 https://security.archlinux.org/CVE-2025-49113