Security News > 2022 > February > 9-Year-Old Unpatched Email Hacking Bug Uncovered in Horde Webmail Software

Users of Horde Webmail are being urged to disable a feature to contain a nine-year-old unpatched security vulnerability in the software that could be abused to gain complete access to email accounts simply by previewing an attachment.

"This gives the attacker access to all sensitive and perhaps secret information a victim has stored in their email account and could allow them to gain further access to the internal services of an organization," SonarSource vulnerability researcher, Simon Scannell, said in a report.

An "All volunteer project," the Horde Project is a free, browser-based communication suite that allows users to read, send, and organize email messages as well as manage and share calendars, contacts, tasks, notes, files, and bookmarks.

The flaw, which was introduced as part of a code change pushed on November 30, 2012, relates to a case of an "Unusual" stored cross-site scripting flaw that allows an adversary to craft an OpenOffice document in such a manner that when it's previewed, it automatically executes arbitrary JavaScript payload. Stored XSS attacks arise when a malicious script is injected directly into a vulnerable web application's server, such as a comment field of a website, causing the untrusted code to be retrieved and transmitted to the victim's browser every time the stored information is requested.

Even worse, should an administrator account with a personalized, malicious email is successfully compromised, the attacker could abuse this privileged access to take over the entire webmail server.

In the interim, Horde Webmail users are advised to disable the rendering of OpenOffice attachments by editing the config/mime drivers.

News URL

https://thehackernews.com/2022/02/9-year-old-unpatched-email-hacking-bug.html