| Vulnerability Name: | CVE-2022-30287 (CCN-227829) | ||||||||||||
| Assigned: | 2022-05-31 | ||||||||||||
| Published: | 2022-05-31 | ||||||||||||
| Updated: | 2022-10-28 | ||||||||||||
| Summary: | Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects. | ||||||||||||
| CVSS v3 Severity: | 8.0 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) 7.0 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:U/RC:R)
7.0 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:U/RC:R)
| ||||||||||||
| CVSS v2 Severity: | 9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
| ||||||||||||
| Vulnerability Type: | CWE-352 | ||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2022-30287 Source: CCN Type: SonarSource Blog, May 31, 2022 Horde Webmail - Remote Code Execution via Email Source: MISC Type: Exploit, Third Party Advisory https://blog.sonarsource.com/horde-webmail-rce-via-email/ Source: XF Type: UNKNOWN hordewebmail-cve202230287-code-exec(227829) Source: MLIST Type: Mailing List, Third Party Advisory [debian-lts-announce] 20220831 [SECURITY] [DLA 3090-1] php-horde-turba security update Source: CCN Type: PortSwigger Web site Horde Webmail contains zero-day RCE bug with no patch on the horizon Source: CCN Type: The Hacker News Web site New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email Source: CCN Type: Horde Project Web site Horde Source: MISC Type: Release Notes, Vendor Advisory https://www.horde.org/apps/webmail Source: CCN Type: SecurityWeek Web site Unpatched Vulnerability Exposes Horde Webmail Servers to Attacks | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||