A critical RCE flaw in Horde Webmail has yet to be addressed

Pierluigi Paganini June 02, 2022

A remote code execution vulnerability in the open-source Horde Webmail client can allow to take over servers by sending a specially crafted email.

Researchers from SonarSource discovered a remote code execution vulnerability (CVE-2022-30287) in the open-source Horde Webmail client. Horde Webmail allows users to manage contacts, the flaw could be exploited by an authenticated user of a Horde instance to take over an email server by sending a specially crafted email to a victim.

“The vulnerability can be exploited with a single GET request which can be triggered via Cross-Site-Request-Forgery.  For this, an attacker can craft a malicious email and include an external image that when rendered exploits the vulnerability without further interaction of a victim: the only requirement is to have a victim open the malicious email.” reads the advisory published by SonarSource.

Horde Webmail

The vulnerability resides in the default configuration, it can be simply exploited by tricking victims into opening the malicious email. The researchers also explained that the clear-text credentials of the victim triggering the exploit are leaked to the attacker in case of successful exploitation of the bug.

The Horde Webmail reached its end of life in 2017 it is known to be affected by multiple flaws, for this reason, users should stop using it.

“If a sophisticated adversary could compromise a webmail server, they can intercept every sent and received email, access password-reset links, and sensitive documents, impersonate personnel and steal all credentials of users logging into the webmail service.” conclude the experts.

Below is the timeline for this flaw that has yet to be addressed:

2022-02-02We report the issue to the vendor and inform about our 90 disclosure policy
2022-02-17We ask for a status update.
2022-03-02Horde releases a fix for a different issue we reported previously and acknowledge this report.
2022-05-03We inform the vendor that the 90-day disclosure deadline has passed

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 


Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Horde Webmail)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment