Roundcube Webmail - Command Injection

Roundcube Webmail before 1.4.4 contains a command injection caused by shell metacharacters in configuration settings for im_convert_path or im_identify_path, letting attackers execute arbitrary code, exploit requires attacker to control configuration settings.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2020-12641
• https://github.com/mbadanoiu/CVE-2020-12641
• http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html
• https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4
• https://github.com/roundcube/roundcubemail/releases/tag/1.4.4

Remediation:
To remediate this vulnerability, update to Roundcube Webmail 1.4.5, 1.3.12 or later.