Hanno Böck je 2. 6. 25 ob 07:26 napisal:
Roundcube just published an update that appears to contain an important
security fix:
https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
"Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v."
Even though it says "Post-Auth", impact is likely high, as for a
webmailer, it is a very common scenario that many people are
potentially authenticated. (And it may just be another XSS away from
non-authenticated RCE.)
I believe this is
https://www.cve.org/CVERecord?id=CVE-2025-49113
CVE-2025-49113 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H score 9.9
