CVE-2016-9920

Priority
Description
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3,
when no SMTP server is configured and the sendmail program is enabled, does
not properly restrict the use of custom envelope-from addresses on the
sendmail command line, which allows remote authenticated users to execute
arbitrary code via a modified HTTP request that sends a crafted e-mail
message.
Notes
Package
Upstream:released (1.2.3+dfsg.1-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was not-affected)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (1.3.6+dfsg.1-1)
Ubuntu 19.10 (Eoan Ermine):not-affected (1.3.6+dfsg.1-1)
Ubuntu 20.04 (Focal Fossa):not-affected (1.3.6+dfsg.1-1)
Patches:
Other:https://github.com/roundcube/roundcubemail/commit/f84233785ddeed01445fc855f3ae1e8a62f167e1
More Information

Updated: 2020-04-24 03:34:44 UTC (commit d3f8a6ed481830fb100109a132bef581fc4176fe)