<vuln vid="bb30748d-e294-11ec-ae35-a0f3c100ae18">

    <topic>Remote Code Execution via Email found in Turba</topic>

    <affects>

      <package>

	<name>php74-horde-turba</name>

	<name>php80-horde-turba</name>

	<name>php81-horde-turba</name>

	<range><le>4.2.25</le></range>

      </package>

    </affects>

    <description>

      <body xmlns="http://www.w3.org/1999/xhtml">

	<p>Sonar Blog reports:</p>

	<blockquote cite="https://blog.sonarsource.com/horde-webmail-rce-via-email/">

	  <p>The discovered code vulnerability (CVE-2022-30287) allows an

	  authenticated user of a Horde instance to execute arbitrary code

	  on the underlying server.</p>

	  <p>The vulnerability can be exploited with a single GET request

	  which can be triggered via Cross-Site-Request-Forgery.  For this,

	  an attacker can craft a malicious email and include an external

	  image that when rendered exploits the vulnerability without

	  further interaction of a victim: the only requirement is to have

	  a victim open the malicious email.</p>

	  <p>The vulnerability exists in the default configuration and can

	  be exploited with no knowledge of a targeted Horde instance. We

	  confirmed that it exists in the latest version. The vendor has

	  not released a patch at the time of writing.</p>

	  <p>Another side-effect of this vulnerability is that the

	  clear-text credentials of the victim triggering the exploit are

	  leaked to the attacker. The adversary could then use them to

	  gain access to even more services of an organization.</p>

	</blockquote>

      </body>

    </description>

    <references>

      <cvename>CVE-2022-30287</cvename>

      <url>https://blog.sonarsource.com/horde-webmail-rce-via-email/</url>

    </references>

    <dates>

      <discovery>2022-05-31</discovery>

      <entry>2022-06-02</entry>

    </dates>

  </vuln>