Vulnerability Details : CVE-2018-9846
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.
Vulnerability category: Input validation
Products affected by CVE-2018-9846
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-9846
40.80%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-9846
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2018-9846
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-9846
-
https://github.com/roundcube/roundcubemail/issues/6238
check_request() bypass in archive plugin · Issue #6238 · roundcube/roundcubemail · GitHubPatch;Third Party Advisory
-
https://www.debian.org/security/2018/dsa-4181
Debian -- Security Information -- DSA-4181-1 roundcubeThird Party Advisory
-
https://medium.com/@ndrbasi/cve-2018-9846-roundcube-303097048b0a
CVE-2018–9846: Roundcube 1.2.0–1.3.5 mx injection - Andrea Basile - MediumExploit;Third Party Advisory
-
https://github.com/roundcube/roundcubemail/issues/6229
MX injection and type juggling vulnerabilities · Issue #6229 · roundcube/roundcubemail · GitHubPatch;Third Party Advisory
Jump to