CVE-2020-8866

Name of the Vulnerable Software and Affected Versions Horde Groupware Webmail Edition version 5.2.22

Description This issue allows remote attackers to create arbitrary files on affected installations. Authentication is required to exploit this. The flaw exists within the add.php file and results from the lack of proper validation of user-supplied data, allowing the upload of arbitrary files. An attacker can leverage this, in conjunction with other issues, to execute code in the context of the www-data user.

Recommendations For Horde Groupware Webmail Edition version 5.2.22, consider disabling the add.php file as a temporary workaround until a patch is available. Restrict access to this file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.