[Tickets #14926] Re: Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails <= v5.2.22

noreply at bugs.horde.org noreply at bugs.horde.org
Sat Dec 16 17:42:11 UTC 2023


Ticket URL: https://bugs.horde.org/ticket/14926
  Ticket             | 14926
  Updated By         | tu.demop at gmail.com
  Summary            | Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing
                     | Emails <= v5.2.22
  Queue              | Horde Groupware
  Version            | 5.2.22
  Type               | Bug
  State              | Resolved
  Priority           | 3. High
  Milestone          |
  Patch              |
  Owners             |

tu.demop at gmail.com (2023-12-16 17:42) wrote:

> The original report included the following:
>> # Attacker can combine "CSRF vulnerability in Trean Bookmarks
>> (defaultly installed on Horde Groupware)" and
>> # "Stored XSS vulnerability in Horde TagCloud (defaultly  
>> installed)" vulnerabilities to steal victim's emails.
>> # Also:
>> # Attacker can use 3 different reflected XSS vulnerability to  
>> exploit Remote Command Execution, SQL Injection and Code Execution.
> I am working on updating the Horde packages in Debian LTS, also  
> coordinating with the security team for an update to Debian stable,  
> and so some clarification would help.
> It is clear that the TagCloud XSS (CVE-2019-12094) was fixed and the  
> associated commit was easy to find and applied cleanly to the Horde  
> package in Debian.  It is also clear that the CSRF (CVE-2019-12095)  
> has been deemed minor and not worth fixing.  However, it is not  
> clear that the "3 different reflected XSS vulnerability" have been  
> addressed.  Is there an additional vulnerability there beyond those  
> two which received CVE assignments?  Answering this would help  
> ensure that we properly track the state of Horde in Debian.

More information about the bugs mailing list