[announce] [SECURITY] CVE-2020-8518: RCE vulnerability in Horde_Data
jan at horde.org
Wed Feb 5 00:01:14 UTC 2020
a Remote Code Execution vulnerability has been found in the Horde_Data
library when processing CSV data, e.g. when importing CSV data in one
of the Horde applications. As far as Horde applications are concerned,
this is by default only exploitable by authenticated users. Only if
guest access has been actively enabled for an application that
supports importing of CSV data and for a resource in this application,
this vulnerability would be exploitable by unauthenticated users.
Unfortunately, a fix for this (then still unknown) vulnerability has
already been implemented three years ago, when hardening the affected
code in Horde_Data. But a new release hadn't been done for this
package since then. This also means that installations running the
development version of Horde, are not affected.
A fixed version of the Horde_Data (version 2.1.5) library has already
been released and everybody is advised to upgrade to Horde_Data 2.1.5
as soon as possible.
An independent Security Researcher, Andrea Cardaci, has reported this
vulnerability to SSD Secure Disclosure program.
The Horde Project
More information about the announce