{"id":"CVE-2020-12641","details":"rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.","aliases":["BIT-roundcube-2020-12641"],"modified":"2026-05-16T03:55:34.320827590Z","published":"2020-05-04T15:15:14.417Z","related":["openSUSE-SU-2020:1516-1","openSUSE-SU-2022:10148-1","openSUSE-SU-2024:11303-1"],"database_specific":{"unresolved_ranges":[{"vendor_product":"opensuse:backports_sle","source":"CPE_FIELD","extracted_events":[{"last_affected":"15.0-sp1"},{"last_affected":"15.0-sp2"}],"cpes":["cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*","cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*"]},{"vendor_product":"opensuse:leap","source":"CPE_FIELD","extracted_events":[{"last_affected":"15.1"},{"last_affected":"15.2"}],"cpes":["cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*","cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*"]}]},"references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-12641"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html"},{"type":"ADVISORY","url":"https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4"},{"type":"ADVISORY","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.4.4"},{"type":"ADVISORY","url":"https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202007-41"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/fcfb099477f353373c34c8a65c9035b06b364db3"},{"type":"EVIDENCE","url":"https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12641-Command%20Injection-Roundcube"}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}