VIR Vulnerability Intelligence Relay

CVE-2020-8865

unknown
Published — · Modified —
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS v4 NEW
not yet in upstream
VIR risk
1.0

Description

This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within edit.php. When parsing the params[template] parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10469.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-48210 webapps php
Andrea Cardaci · 2020-03-11

Horde Groupware Webmail Edition 5.2.22 - PHAR Loading

Source code queued for fetch — refresh in a moment.
EDB-48209 webapps php
Andrea Cardaci · 2020-03-11

Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion

Source code queued for fetch — refresh in a moment.

OS impact
debian Debian Fixed 3 releases
VersionStatusFixed in
sid Fixed 1.1.10-1
bullseye Fixed 1.1.10-1
bookworm Fixed 1.1.10-1

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.