Security News > 2022 > June > New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email

A new unpatched security vulnerability has been disclosed in the open-source Horde Webmail client that could be exploited to achieve remote code execution on the email server simply by sending a specially crafted email to a victim.

"Once the email is viewed, the attacker can silently take over the complete mail server without any further user interaction," SonarSource said in a report shared with The Hacker News.

At its core, the issue makes it possible for an authenticated user of a Horde instance to run malicious code on the underlying server by taking advantage of a quirk in how the client handles contact lists.

"As a result, an attacker can craft a malicious email and include an external image that when rendered exploits the CSRF vulnerability without further interaction of a victim: the only requirement is to have a victim open the malicious email."

The disclosure comes a little over three months after another nine-year-old bug in the software came to light, which could permit an adversary to gain complete access to email accounts by previewing an attachment.

In light of the fact that Horde Webmail is no longer actively maintained since 2017 and dozens of security flaws have been reported in the productivity suite, users are recommended to switch to an alternative service.

News URL

https://thehackernews.com/2022/06/new-unpatched-horde-webmail-bug-lets.html