[Tickets #14926] Re: Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails <= v5.2.22
noreply at bugs.horde.org
noreply at bugs.horde.org
Mon Nov 18 20:25:44 UTC 2019
BITTE NICHT AUF DIESE NACHRICHT ANTWORTEN. NACHRICHTEN AN DIESE
E-MAIL-ADRESSE WERDEN NICHT GELESEN.
Ticket-URL: https://bugs.horde.org/ticket/14926
------------------------------------------------------------------------------
Ticket | 14926
Aktualisiert Von | Jan Schneider <jan at horde.org>
Zusammenfassung | Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails
| <= v5.2.22
Warteschlange | Horde Groupware
Version | 5.2.22
Typ | Bug
-Status | Unconfirmed
+Status | Resolved
Priorität | 3. High
Milestone |
Patch |
Zuständige |
------------------------------------------------------------------------------
Jan Schneider <jan at horde.org> (2019-11-18 21:25) hat geschrieben:
For the record:
* The XSS in the Horde tag cloud widget had already been discovered,
fixed, and released by ourselves with Horde 5.2.21 on April 21, before
the report: https://lists.horde.org/archives/announce/2019/001278.html
Without this, the whole "attack" is not exploitable.
* Adding bookmarks in Trean is indeed not CSRF protected, but that's
low priority for us, because it's a non-destructive action.
* GETting IMAP messages from IMP is a core functionality of the
webmail client and is hardly to be called a vulnerability. Whether it
would make sense to token-protected such requests is at least debatable.
* The reporter irresponsibly disclosed his findings, because we were
not willing, nor able to pay him a bounty price upfront.
Also for the records, these finding have been assigned CVE 2019-12094
& CVE-2019-12095.
Conclusion: no Horde installation installed or updated since April
21st 2019 is vulnerable to this exploit.
More information about the bugs
mailing list