FreeBSD : Roundcube -- arbitrary command execution (125f5958-b611-11e6-a9a5-b499baebfeaf)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

The Roundcube project reports

steps/mail/ in Roundcube before 1.1.7 and 1.2.x before
1.2.3, when no SMTP server is configured and the sendmail program is
enabled, does not properly restrict the use of custom envelope-from
addresses on the sendmail command line, which allows remote
authenticated users to execute arbitrary code via a modified HTTP
request that sends a crafted e-mail message.

See also :

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 6.0

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 95393 ()

Bugtraq ID: 94858

CVE ID: CVE-2016-9920

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now