• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

Resolved Roundcube vulnerability CVE-2025-49113

M

Mark_NLD

Basic Pleskian
Server operating system version
Ubuntu 24.04
Plesk version and microupdate number
18.0.56 #2
Roundcube has a new vulnerability: CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Click to expand...

Aleksander Machniak has released a secutity update: Roundcube Webmail 1.6.11

When can we expect this fix to be included in Plesk?
 
Mark_NLD said:
Roundcube has a new vulnerability: CVE-2025-49113
Aleksander Machniak has released a secutity update: Roundcube Webmail 1.6.11
When can we expect this fix to be included in Plesk?
Click to expand...
In addition to the important post above (i.e. Plesk upgrading their support, to enable us all to utilize Roundcube 1.6.11 asap) can Plesk - at the same time - please ensure that Roundcube 1.6.11 (when hosted within Plesk) IS available on PHP 8.4.* NOT just PHP 8.3.* > because currently, we're (yet again) 'stuck' as Plesk (since 18.0.67) still only supports Roundcube on PHP 8.3.* > and in many cases (ours included) PHP 8.3.* isn't needed for anything else...
 
Please find the patch here:


learning_curve said:
can Plesk - at the same time - please ensure that Roundcube 1.6.11 (when hosted within Plesk) IS available on PHP 8.4.* NOT just PHP 8.3.* > because currently, we're (yet again) 'stuck' as Plesk (since 18.0.67) still only supports Roundcube on PHP 8.3.* > and in many cases (ours included) PHP 8.3.* isn't needed for anything else...
Click to expand...

I will double-check when we plan to move Roundcube to PHP 8.4 and will follow up with more details as soon as possible.
 
Sebahat.hadzhi said:
Please find the patch here:
Click to expand...
Thank you @Sebahat.hadzhi That's the most urgent fix very quickly resolved.
In between steps 1. and 2. of the the syntax provided in that patch article, one obvious step is missing, so just posting it here, in case anybody forgets:

Either rename the file to match what the patch command expects:
Bash: 
mv 32537223826583 patch-roundcube-1.6.10-CVE-2025-49113
patch -p1 -d /usr/share/psa-roundcube < patch-roundcube-1.6.10-CVE-2025-49113
Or use the actual filename in the patch command:
Bash: 
patch -p1 -d /usr/share/psa-roundcube < 32537223826583
Both methods work obviously — It's just ensuring that the filename in the redirect < matches the actual file on disk
 
Sebahat.hadzhi said:
Regarding your other question, our team mentioned that according to Roundcube's documentation, version 1.6 (which we are currently ship) doesn't support 8.4. Thus, at this point, there is no plan for such a shift.
Click to expand...
My apologies. I was meaning; Roundcube version 1.6.11, as I was assuming that Plesk would be upgrading to that shortly.
However, in fairness, just double checked and Roundcube, won't now fully support PHP 8.4, until version 1.7 > onward anyway, so... :D
 
How to fix if Centos 7 does not have `patch` and cannot find it in repo to install?
 
I just want to confirm that along with Plesk Obsidian 18.0.70 Update 1 our team applied the upstream patch for Roundcube 1.4.15 and 1.6.10 to fix the CVE-2025-49113 vulnerability.

It should be automatically updated on Plesk Obsidian 18.0.69 and 18.0.70. If you are running an older Plesk version, please navigate to Tools & Settings > Updates and run the component updates manually.
 
Last edited:
Sebahat.hadzhi said:
I just want to confirm that along with Plesk Obsidian 18.0.70 Update 1 our team updated Roundcube 1.4.15 and 1.6.10 to fix the CVE-2025-49113 vulnerability.

It should be automatically updated on Plesk Obsidian 18.0.69 and 18.0.70. If you are running an older Plesk version, please navigate to Tools & Settings > Updates and run the component updates manually.
Click to expand...

This explanation is rather confusing and not really helpful. According to the CVE, only version 1.6.11 solves the problem. Thus, a statement that the upgrade to 18.0.70 Update 1 fixes it with version 1.6.10 is misleading. My assumption: You backported this from 1.6.11 in your version 1.6.10. However, that is not properly described. Other than that it is not clear why there is no official update to 1.6.11 yet.
 
B_P said:
This explanation is rather confusing and not really helpful. According to the CVE, only version 1.6.11 solves the problem. Thus, a statement that the upgrade to 18.0.70 Update 1 fixes it with version 1.6.10 is misleading. My assumption: You backported this from 1.6.11 in your version 1.6.10. However, that is not properly described. Other than that it is not clear why there is no official update to 1.6.11 yet.
Click to expand...
IF you've read all of this thread properly, then it's not confusing
The initial, quick response from Plesk to CVE-2025-49113 was a patch, which could be applied manually. This is effectively, back-porting just the "fix" for this problem, from the 1.6.11 release, which is not yet supported by Plesk, to the 1.6.10 release, which is supported by Plesk (at the time of writing).

Then, Plesk released 18.0.70 MU #1 which incorporated this fix into the Plesk supported version of the 1.6.10 release and at the same time, negated the manual application of the patch. If you were late on the uptake / were not aware of the patch, so didn't apply it, the upgrading to 18.0.70 MU #1 made the whole process much easier for you. Any semantics i.e. "...yes but it's not the the 1.6.11 release is it? It's 1.6.10, so... blah blah blah" are not really relevant.
 
I am sorry to disagree, BUT: As someone who typically get across such issues through the original CVE, just reading @Sebahat.hadzhi last message (and also the official release notes of Plesk), the formulation is imprecise. Yes the problem is solved, but through a backport. This should clearly be stated as not everyone might find and read this thread. And people not having read this, wonder how Plesk will have solved this by updating to a vulnerable version. And btw. if packages are modified compared to their original source, the versioning scheme should allow the users to understand that it is not the original version.
 
@B_P Apologies for any possible confusion caused. You are right. Our team applied the upstream patch for RoundCube 1.16, and updated it in order to be compatible with 1.14.x. I edited my previous reply to clarify that.
 
Last edited:
B_P said:
I am sorry to disagree,
Click to expand...
Feel free to disagree. Nobody is always right
B_P said:
BUT: As someone who typically get across such issues through the original CVE,
Click to expand...
If that ^^ IS the case, meaning that you were already aware of CVE-2025-49113, then what stopped you simply making a search for it, in this forum?
Had you done that, you would have then immediately found this thread, helpfully posted by @Mark_NLD complete with CVE-2025-49113 in the title!
Consequently, you would have seen the swift intervention, temporary & then final resolutions, by Plesk, without suffering from any confusion at all...
B_P said:
just reading @Sebahat.hadzhi last message (and also the official release notes of Plesk), the formulation is imprecise.
Click to expand...
That's your own view. Others differ. Such is life
B_P said:
Yes the problem is solved, but through a backport. This should clearly be stated as not everyone might find and read this thread. And people not having read this, wonder how Plesk will have solved this by updating to a vulnerable version. And btw. if packages are modified compared to their original source, the versioning scheme should allow the users to understand that it is not the original version.
Click to expand...
I'm not defending Plesk and you've already had an acknowledgement from @Sebahat.hadzhi on behalf of Plesk now anyway
We can quite easily, just agree to disagree & leave it there
FWIW In our own experience, pedantic, semantic posts, complete with aspects of #whataboutism don't always lead to speedy resolutions
 
My server is currently running Pleask 18.0.69 update 4.
Is my Roundcube 1.14 safe?
 
You must log in or register to reply here.
Back
Top