Roundcube Markasjunk Plugin Command Injection Vulnerability Analysis

On June 6, 2023, security researchers discovered a vulnerability in Roundcube’s “markasjunk” plugin. This vulnerability allow attackers to execute command by sending a specifically crafted identity email address through plugin.

Although the CVSSv3 score of the vulnerability is defined as “6.5”, according to Cyberthint analysts, its impact is actually critical and CWE ID: CWE-77.

Affected Versions: Roundcube versions 1.6.1 and earlier versions, when the markasjunk plugin is enabled.