Roundcube is shipped with the Password plugin. It is, as any other plugin, disabled by default. Once enabled, it allows an authenticated user to change his current password in the web interface. For this purpose, the plugin offers several drivers that can be used to perform the actual password change in the back end.
The DBMail driver suffers from a critical Remote Command Execution vulnerability that enables an attacker to execute arbitrary system commands with root privileges.
Created roundcubemail tracking bugs for this issue:
Affects: epel-5 [bug 1417867]
Affects: epel-6 [bug 1417866]