Roundcube is shipped with the Password plugin. It is, as any other plugin, disabled by default. Once enabled, it allows an authenticated user to change his current password in the web interface. For this purpose, the plugin offers several drivers that can be used to perform the actual password change in the back end. The DBMail driver suffers from a critical Remote Command Execution vulnerability that enables an attacker to execute arbitrary system commands with root privileges. Upstream bug: https://github.com/roundcube/roundcubemail/issues/4757 Upstream patch: https://github.com/roundcube/roundcubemail/commit/7c96646de0efda16cded8491138bfefe31aca940
Created roundcubemail tracking bugs for this issue: Affects: epel-5 [bug 1417867] Affects: epel-6 [bug 1417866]