Roundcube Webmail could allow remote code execution.
Software Description:
- roundcube: skinnable AJAX based webmail solution for IMAP servers
Details:
It was discovered that Roundcube Webmail did not properly sanitize the
_from parameter in a URL, leading to PHP Object Deserialization. A remote
attacker could possibly use this issue to execute arbitrary code.
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
roundcube 1.6.10+dfsg-1ubuntu0.1
roundcube-core 1.6.10+dfsg-1ubuntu0.1
Ubuntu 24.10
roundcube 1.6.8+dfsg-2ubuntu0.1
roundcube-core 1.6.8+dfsg-2ubuntu0.1
Ubuntu 24.04 LTS
roundcube 1.6.6+dfsg-2ubuntu0.1
roundcube-core 1.6.6+dfsg-2ubuntu0.1
Ubuntu 22.04 LTS
roundcube 1.5.0+dfsg.1-2ubuntu0.1~esm4
Available with Ubuntu Pro
roundcube-core 1.5.0+dfsg.1-2ubuntu0.1~esm4
Available with Ubuntu Pro
roundcube-plugins 1.5.0+dfsg.1-2ubuntu0.1~esm4
Available with Ubuntu Pro
Ubuntu 20.04 LTS
roundcube 1.4.3+dfsg.1-1ubuntu0.1~esm5
Available with Ubuntu Pro
roundcube-core 1.4.3+dfsg.1-1ubuntu0.1~esm5
Available with Ubuntu Pro
roundcube-plugins 1.4.3+dfsg.1-1ubuntu0.1~esm5
Available with Ubuntu Pro
Ubuntu 18.04 LTS
roundcube 1.3.6+dfsg.1-1ubuntu0.1~esm5
Available with Ubuntu Pro
roundcube-core 1.3.6+dfsg.1-1ubuntu0.1~esm5
Available with Ubuntu Pro
roundcube-plugins 1.3.6+dfsg.1-1ubuntu0.1~esm5
Available with Ubuntu Pro
Ubuntu 16.04 LTS
roundcube 1.2~beta+dfsg.1-0ubuntu1+esm6
Available with Ubuntu Pro
roundcube-core 1.2~beta+dfsg.1-0ubuntu1+esm6
Available with Ubuntu Pro
roundcube-plugins 1.2~beta+dfsg.1-0ubuntu1+esm6
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.https://ubuntu.com/security/notices/USN-7584-1
CVE-2025-49113
Get the latest Linux and open source security news straight to your inbox.