CVE-2020-12640: Path Traversal
First published: Mon May 04 2020(Updated: )
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Roundcube Webmail | >=1.2.0<1.2.10 | |
| Roundcube Webmail | >=1.3.0<1.3.11 | |
| Roundcube Webmail | >=1.4.0<1.4.4 | |
| openSUSE Backports SLE | =15.0-sp1 | |
| openSUSE Backports SLE | =15.0-sp2 | |
| openSUSE Leap | =15.1 | |
| openSUSE Leap | =15.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12640-PHP%20Local%20File%20Inclusion-Roundcube
- https://github.com/roundcube/roundcubemail/commit/814eadb699e8576ce3a78f21e95bf69a7c7b3794
- https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4
- https://github.com/roundcube/roundcubemail/releases/tag/1.4.4
- https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10
- https://security.gentoo.org/glsa/202007-41
Frequently Asked Questions
What is CVE-2020-12640?
CVE-2020-12640 is a vulnerability in Roundcube Webmail that allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
How severe is CVE-2020-12640?
CVE-2020-12640 has a severity rating of 9.8 (Critical).
Which versions of Roundcube Webmail are affected by CVE-2020-12640?
Roundcube Webmail versions 1.2.0 to 1.2.10, 1.3.0 to 1.3.11, and 1.4.0 to 1.4.4 are affected by CVE-2020-12640.
How can an attacker exploit CVE-2020-12640?
An attacker can exploit CVE-2020-12640 by using directory traversal in a plugin name to rcube_plugin_api.php and including local files to execute arbitrary code.
Are there any references for CVE-2020-12640?
Yes, you can find references for CVE-2020-12640 at the following links: - http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html - https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12640-PHP%20Local%20File%20Inclusion-Roundcube - https://github.com/roundcube/roundcubemail/commit/814eadb699e8576ce3a78f21e95bf69a7c7b3794
- collector/nvd-index
- agent/weakness
- agent/author
- agent/severity
- agent/references
- agent/description
- agent/type
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/remedy
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/roundcube
- canonical/roundcube webmail
- version/roundcube webmail/1.2.0
- version/roundcube webmail/1.3.0
- version/roundcube webmail/1.4.0
- vendor/opensuse
- canonical/opensuse backports sle
- version/opensuse backports sle/15.0-sp1
- version/opensuse backports sle/15.0-sp2
- canonical/opensuse leap
- version/opensuse leap/15.1
- version/opensuse leap/15.2