CVE-2017-7414

Name of the Vulnerable Software and Affected Versions Horde Crypt versions prior to 2.7.6 Horde Groupware Webmail Edition versions 5.x through 5.2.17

Description The issue occurs when a user has PGP features enabled and has chosen to automatically verify PGP signed messages. An attacker can exploit this by sending a maliciously crafted PGP signed email to the user, who must then view or preview the email to trigger the exploit. This can lead to OS Command Injection.

Recommendations For Horde Crypt versions prior to 2.7.6, update to version 2.7.6 or later. For Horde Groupware Webmail Edition versions 5.x through 5.2.17, consider disabling the PGP features or the automatic verification of PGP signed messages until an update is available.