CVE-2020-8865

Name of the Vulnerable Software and Affected Versions Horde Groupware Webmail Edition version 5.2.22

Description This issue allows remote attackers to execute local PHP files on affected installations. Authentication is required to exploit this issue. The specific flaw exists within the edit.php file. When parsing the params[template] parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other issues to execute code in the context of the www-data user.

Recommendations For Horde Groupware Webmail Edition version 5.2.22, as a temporary workaround, consider disabling the edit.php file or restricting access to it until a patch is available. Additionally, restrict the use of the params[template] parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.