Ratiosec

**Name of the Vulnerable Software and Affected Versions** Horde Groupware Webmail versions 5.2.17 through 5.2.22 **Description** A remote code execution issue was discovered, related to the handling of image uploads in forms. The `Horde Form Type image` class in `Horde/Form/Type.php` contains a vulnerability that allows an attacker to manipulate the file path used to save uploaded images. This is due to the use of unsanitized user input from the `object[photo][img][file]` POST parameter, which is stored in the `$upload[img][file]` PHP variable. An attacker can exploit this by setting the parameter to a malicious path, such as `../usr/share/horde/static/bd.php`, allowing them to write a PHP backdoor inside the web root. The `static/` destination folder is a potential target because it is typically writable in Horde installations. **Recommendations** For versions 5.2.17 through 5.2.22, consider disabling the `Horde Form Type image` class or restricting access to the `onSubmit()` method until a patch is available. Additionally, restrict write access to the `static/` destination folder to minimize the risk of exploitation. Avoid using the `object[photo][img][file]` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.