PT-2025-48687 · Horde+1 · Horde Groupware+1
Amador Aparicio
·
Publicado
2025-12-02
·
Atualizado
2025-12-02
·
CVE-2025-41066
CVSS v4.0
6.9
Média
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Horde Groupware version 5.2.22
Description
An unauthenticated attacker can determine the existence of valid accounts on the system. This is achieved by sending an HTTP request to the ''/imp/attachment.php'' endpoint with the parameters
id and u. If the specified user exists, the server returns the download of an empty file. If the user does not exist, no download is initiated, revealing whether the user is valid.Recommendations
Update to a newer version that contains a fix for this vulnerability.
Correção
Information Disclosure
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Debian
Horde Groupware