[horde] Question on: (0Day) Horde Groupware Webmail Edition Sort sortpref Deserialization of Untrusted Data Remote Code Execution Vulnerability

Jens Wahnes wahnes at uni-koeln.de
Wed Oct 12 13:02:02 UTC 2022


Frank Richter wrote:
> I stumbled over this: 
> https://www.zerodayinitiative.com/advisories/ZDI-20-1051/
> Ist this one fixed in the current versions?

The report mentions that the flaw is in "Sort.php". If that information 
is correct, then the flaw still exists, because "Sort.php" has not been 
updated since 2017 but the bug was reported to have existed in 2020.

See <https://github.com/horde/imp/commits/master/lib/Prefs/Sort.php> or 
<https://github.com/horde/imp/commits/FRAMEWORK_5_2/lib/Prefs/Sort.php> 
for a history of updates to "Sort.php".


Jens

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5324 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.horde.org/archives/horde/attachments/20221012/49574a3a/attachment.bin>


More information about the horde mailing list