CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 2CVE-2020-8866 – Horde Groupware Webmail Edition add Page Unrestricted File Upload Arbitrary File Creation Vulnerability
https://notcve.org/view.php?id=CVE-2020-8866
This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. • https://www.exploit-db.com/exploits/48210 https://www.exploit-db.com/exploits/48209 https://lists.debian.org/debian-lts-announce/2020/03/msg00036.html https://lists.horde.org/archives/announce/2020/001288.html https://www.zerodayinitiative.com/advisories/ZDI-20-275 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 96%CPEs: 4EXPL: 3CVE-2020-8518 – Horde CSV import arbitrary PHP code execution
https://notcve.org/view.php?id=CVE-2020-8518
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution. Horde Groupware Webmail Edition versión 5.2.22, permite una inyección de código PHP arbitrario, por medio de datos CSV, conllevando a una ejecución de código remota. • https://www.exploit-db.com/exploits/48215 http://packetstormsecurity.com/files/156872/Horde-5.2.22-CSV-Import-Code-Execution.html https://lists.debian.org/debian-lts-announce/2020/04/msg00008.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PRPIFQDGYPQ3F2TF2ETPIL7IYNSVVZQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKTNYDBDVJNMVC7QPXQI7CMPLX3USZ2T https://lists.horde.org/archives/announce/2020/001285.html https://cardaci. • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 6CVE-2019-12094 – Horde Webmail 5.2.22 XSS / CSRF / SQL Injection / Code Execution
https://notcve.org/view.php?id=CVE-2019-12094
Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_name= or admin/user.php?form=remove_f&user_name= or admin/config/diff.php?app= URI. Horde Groupware Webmail Edition hasta la versión 5.2.22 permite XSS a través de admin / user.php? • https://bugs.horde.org/ticket/14926 https://cxsecurity.com/issue/WLB-2019050199 https://numanozdemir.com/respdisc/horde/horde.mp4 https://numanozdemir.com/respdisc/horde/horde.txt https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html https://www.exploit-db.com/exploits/46903 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 6%CPEs: 1EXPL: 6CVE-2019-12095 – Horde Webmail 5.2.22 XSS / CSRF / SQL Injection / Code Execution
https://notcve.org/view.php?id=CVE-2019-12095
Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload. Horde Trean, como se utiliza en Horde Groupware Webmail Edition a través de 5.2.22 y otros productos, permite CSRF, como lo demuestra el parámetro treanBookmarkTags al trean / URI en un servidor de correo web. NOTA: treanBookmarkTags podría, por ejemplo, ser una carga útil XSS almacenada. Horde Webmail version 5.2.22 suffers from code execution, cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities. • https://bugs.horde.org/ticket/14926 https://cxsecurity.com/issue/WLB-2019050199 https://exchange.xforce.ibmcloud.com/vulnerabilities/161333 https://lists.debian.org/debian-lts-announce/2019/12/msg00015.html https://numanozdemir.com/respdisc/horde/horde.mp4 https://numanozdemir.com/respdisc/horde/horde.txt https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html https://www.exploit-db.com/exploits/46903 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 95%CPEs: 4EXPL: 3CVE-2019-9858 – Horde Form File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2019-9858
Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to (for example) .. • http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html https://lists.debian.org/debian-lts-announce/2019/06/msg00007.html https://seclists.org/bugtraq/2019/Jun/31 https://ssd-disclosure.com/?p=3814&preview=true https://www.debian.org/security/2019/dsa-4468 https://www.ratiosec.com/2019/horde-groupware-webmail-authenticated-arbitrary-file-injection-to-rce https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/horde_form_file_upload.rb • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •