Описание
Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| php-horde-turba | fixed | 4.2.25-6 | package |
Примечания
https://blog.sonarsource.com/horde-webmail-rce-via-email/
https://lists.horde.org/archives/horde/Week-of-Mon-20220530/059225.html
Possible alternative patch: https://github.com/horde/turba/pull/7
Fixed by: https://github.com/horde/turba/commit/bc53d856ca87656cdc6e5fafd54f2360eb247e24 (v4.2.26)
Followup bugfix: https://github.com/horde/turba/commit/006affc530966704937c55611fadb1669026b9f6 (v4.2.27)
Fixed by: https://github.com/horde/turba/commit/69f67882539aa0909c3c8c15e37407e0aaa18d1c (v4.2.26)
Fixed by: https://github.com/horde/turba/commit/f09285c54673cd3d71d92a8c56da0a2c5ff329ce (v4.2.28)
EPSS
Связанные уязвимости
Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects.
Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects.
Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects.
Уязвимость функции create программного средства Horde Webmail, позволяющая нарушителю выполнить произвольный код
EPSS