OS Command Injection Vulnerability in Horde Groupware Webmail Edition by Horde
CVE-2017-7414

7.5HIGH

Key Information:

Vendor

Horde

Status
Vendor
CVE Published:
4 April 2017

What is CVE-2017-7414?

The vulnerability arises in Horde_Crypt prior to version 2.7.6, affecting users of Horde Groupware Webmail Edition 5.x up to 5.2.17. If users enable PGP features in their preferences, particularly the automatic verification of PGP signed messages, an attacker can exploit this flaw. By sending a maliciously crafted PGP signed email, the attacker can execute OS commands on the user's server when the email is viewed or previewed, posing a significant risk to the system's integrity and data security.

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.