CVE ID | |
CVSS SCORE | 6.3, AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
AFFECTED VENDORS |
Horde |
AFFECTED PRODUCTS |
Groupware Webmail Edition |
VULNERABILITY DETAILS |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Horde Groupware Webmail Edition. Authentication is required to exploit this vulnerability. The specific flaw exists within remote_unsubscribe.php. When parsing the remote_cals parameter, the process does not properly validate user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the www-data user. |
ADDITIONAL DETAILS |
This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline. 03/13/20 – ZDI reported the vulnerabilities to the vendor -- Mitigation: |
DISCLOSURE TIMELINE |
|
CREDIT | Esteban Ruiz (mr_me) of Source Incite |