December 5, 2023

A zero-day cross-site scripting (XSS) vulnerability in Horde webmail client could allow an attacker to steal a victim’s emails and infiltrate their network, researchers warn.

Researchers revealed that the client is vulnerable to a stored XSS vulnerability that is yet to be patched. The stored XSS is triggered by the process of rendering an OpenOffice file into a viewable format.

An OpenOffice document is a ZIP file containing XML documents and other files. When Horde is asked to convert an OpenOffice document to HTML to be previewed, it uses XSLT. The converted document is returned to the user without any sanitization.


If an attacker could craft an OpenOffice document that leads to JavaScript injection in the resulting XHTML, then a XSS vulnerability occurs. The XSS payload triggers and gives an attacker full access to their session. This means the attacker can steal all emails and, in a worst-case scenario, even execute arbitrary system commands if the victim has the administrator role.

The security flaw can give an attacker access to all information a victim has stored in their email account and could allow them to gain further access to the internal services of an organization.

This was reported to Horde project in August 2021 but due to no response, vulnerability made public Users will still be able to download the OpenOffice documents and view them locally, but Horde won’t attempt to render it in the browser.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.