Description
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.
Remediation
References
Related Vulnerabilities
WordPress Plugin mb.YTPlayer for background videos Unspecified Vulnerability (1.7.2)
Atlassian Jira Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2019-20415)
WordPress Plugin Async JavaScript Security Bypass (2.19.07.14)
Joomla! Core 3.3.x Remote File Inclusion (3.3.0 - 3.3.4)
Moodle Improper Input Validation Vulnerability (CVE-2013-2083)