User Enumeration Vulnerability in Horde Groupware by Horde Group
CVE-2025-41066

6.9MEDIUM

Key Information:

Vendor

Horde

Status
Vendor
CVE Published:
2 December 2025

What is CVE-2025-41066?

Horde Groupware v5.2.22 contains a user enumeration vulnerability that permits unauthenticated attackers to ascertain the existence of valid user accounts. By crafting an HTTP request directed at '/imp/attachment.php' with specific parameters, an attacker can discern user validity. A successful request for an existing user results in the server returning a download link for an empty file, while no response indicates a non-existent user. This behavior exposes sensitive information and can lead to further attacks on the system.

Affected Version(s)

Groupware 5.2.22

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Amador Aparicio
.