There was a Critical security voulnerability announced today affecting version 1.2.2 and lower of Roundcube that permits a malicious user to execute commands on the local machine.
Details:
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-released
Thanks. It doesn't appear that we're vulnerable because this part doesn't apply to us:
Roundcube must be configured to use PHP鈥檚 mail() function (by default, if no SMTP was specified 2 )
(Also see #997.)
Thanks. It doesn't appear that we're vulnerable because this part doesn't apply to us:
Still, I think that the update should be released as Roundcube 1.2.3 is a stable release.
Most helpful comment
Thanks. It doesn't appear that we're vulnerable because this part doesn't apply to us:
(Also see #997.)