A zero-day vulnerability in Horde Webmail enables attackers to take over the webserver and pivot to compromising an organization’s other services, according to security researchers.
The flaw’s abuse relies on an authenticated user of the targeted instance opening a malicious email sent by the attacker which will result in inadvertently triggering the exploit by executing arbitrary code on the underlying server.
A patch for the RCE vulnerability in the open-source platform may never surface given that the current version, which contains the flaw, has been flagged by the maintainers as the final release.
Horde Webmail, which is part of the Horde groupware, provides a browser-based email client and a server that acts as a proxy to the organization’s email server. By compromising webmail servers, attackers can intercept every sent and received an email, access password-reset links, and sensitive documents, impersonate personnel and steal all credentials of users logging into the webmail service.
The Horde Webmail vulnerability (CVE-2022-30287) can be abused with a single GET request, which brings cross-site request forgery (CSRF) into play. An attacker can craft a malicious email and include an external image that when rendered exploits the CSRF vulnerability
The vulnerability exists in Horde Webmail’s default configuration and potentially lends itself to mass-exploitation
Maintainers were notified about the issue on February 2 and disclosed the flaw today (June 1), having notified the maintainers on May 3 that the 90-day disclosure deadline had passed. Nevertheless, on March 2 Horde released a fix for a separate issue reported previously by Sonar and acknowledged the latest vulnerability report, according to Sonar.
This was documented by researchers from the Swiss firm Sonar and advised users to abandon Horde Webmail.