CVE-2016-9920 — Vulnetix

Try Vulnetix Request Demo

CVE-2016-9920 PUBLISHED

steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.

EPSS 44.83% · 97.5th percentile

Risk Scores

EPSS Score

44.83%

97.5th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:16.04:LTS	roundcube	0, 1.1.1+dfsg.1-2, 1.1.2+dfsg.1-5

Timeline

Dec 8, 2016 CVE Published
Feb 4, 2022 EPSS Score
Mar 28, 2022 EPSS Score
Jul 10, 2022 EPSS Score
Sep 1, 2022 EPSS Score
Oct 23, 2022 EPSS Score
Feb 4, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Mar 28, 2023 EPSS Score
May 19, 2023 EPSS Score
Aug 31, 2023 EPSS Score
Oct 22, 2023 EPSS Score

References

https://ubuntu.com/security/CVE-2016-9920 third-party-advisory
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/ third-party-advisory
http://www.openwall.com/lists/oss-security/2016/12/08/10 third-party-advisory
https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-released third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2016-9920 third-party-advisory

Open in Interactive Console →