CVE-2022-30287

Name of the Vulnerable Software and Affected Versions Horde Groupware Webmail Edition versions 5.2.22 and earlier

Description The issue allows for a reflection injection attack, leading to arbitrary deserialization of PHP objects. This can be exploited by an authenticated user to execute arbitrary code on the server by sending a specially crafted email. The vulnerability can be triggered via a single GET request, which can be initiated through Cross-Site-Request-Forgery (CSRF). An attacker can craft a malicious email with an external image that exploits the vulnerability when rendered, without requiring further interaction from the victim. The only requirement is for the victim to open the malicious email. If successfully exploited, the attacker can gain access to the email server, allowing them to intercept all email correspondence, access password reset links and confidential documents, impersonate employees, and steal all user credentials.

Recommendations For Horde Groupware Webmail Edition versions 5.2.22 and earlier: At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the create function in turba/lib/Factory/Driver.php until a patch is available. Restrict access to the vulnerable Driver class to minimize the risk of exploitation. Avoid using the create function in the affected API endpoint until the issue is resolved. Users are recommended to seek an alternative service, as Horde Webmail has not been actively maintained since 2017 and contains numerous security issues.