According to a report from SonarSource. The open-source Horde Webmail client contains a new unpatched security vulnerability that might be exploited to get remote code execution on the email server simply by sending a carefully crafted email to a victim.
On February 2, 2022, the vendor was notified of the vulnerability, which was given the CVE identifier CVE-2022-30287. Horde Project maintainers did not immediately react to a request for comment on the unsolved vulnerability.
Horde Webmail hasn’t been actively updated since 2017, and scores of security holes have been found in the productivity suite, therefore users should consider switching to another provider.
“With such a high level of confidence placed in webmail servers, they naturally constitute a very attractive target for attackers,” the researchers stated.
The vulnerability allows an authorized user of a Horde instance to run malicious code on the underlying server by exploiting a flaw in the client’s handling of contact lists.
“Once the email is seen, the attacker may quietly take control of the whole mail server without any additional user involvement; the vulnerability is included in the default setup and can be exploited without knowledge of a targeted Horde instance.”
This may then be used in conjunction with a cross-site request forgery (CSRF) attack to remotely execute the code.
You can watch the video
When a web browser is fooled into performing a harmful action in an application to which a user is signed in, this is known as CSRF. It takes use of a web application’s confidence in an authorized user.