Open source webmail provider Roundcube has released an update that addresses a critical vulnerability in all default configurations that could allow an attacker to run arbitrary code on the host operating system.
The flaw is serious because it’s relatively simple to exploit and can allow an attacker to access email accounts or move deeper onto the network.
Researchers at RIPS Technologies, a German company specializing in PHP application security analysis, privately disclosed the bug Nov. 21. Roundcube had the vulnerability fixed on Github a day later, and made an updated version publicly available Nov. 28. Versions 1.0 to 1.2.2 are vulnerable, and users are advised to update to 1.2.3.