[announce] [SECURITY] CVE-2020-8518: RCE vulnerability in Horde_Data

Jan Schneider jan at horde.org
Wed Feb 5 00:01:14 UTC 2020


a Remote Code Execution vulnerability has been found in the Horde_Data  
library when processing CSV data, e.g. when importing CSV data in one  
of the Horde applications. As far as Horde applications are concerned,  
this is by default only exploitable by authenticated users. Only if  
guest access has been actively enabled for an application that  
supports importing of CSV data and for a resource in this application,  
this vulnerability would be exploitable by unauthenticated users.

Unfortunately, a fix for this (then still unknown) vulnerability has  
already been implemented three years ago, when hardening the affected  
code in Horde_Data. But a new release hadn't been done for this  
package since then. This also means that installations running the  
development version of Horde, are not affected.

A fixed version of the Horde_Data (version 2.1.5) library has already  
been released and everybody is advised to upgrade to Horde_Data 2.1.5  
as soon as possible.

An independent Security Researcher, Andrea Cardaci, has reported this  
vulnerability to SSD Secure Disclosure program.

Jan Schneider
The Horde Project

More information about the announce mailing list