On June 6, 2023, security researchers discovered a vulnerability in Roundcube’s “markasjunk” plugin. This vulnerability allow attackers to execute command by sending a specifically crafted identity email address through plugin.
Although the CVSSv3 score of the vulnerability is defined as “6.5”, according to Cyberthint analysts, its impact is actually critical and CWE ID: CWE-77.
Affected Versions: Roundcube versions 1.6.1 and earlier versions, when the markasjunk plugin is enabled.