Description
In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur if the attacker is an authenticated Horde Webmail user, has PGP features enabled in their preferences, and attempts to encrypt an email addressed to a maliciously crafted email address.
References (2)
Core 2
Core References
Mailing List, Vendor Advisory x_refsource_confirm
https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html
Scores
CVSS v3
8.8
EPSS
0.4045
EPSS Percentile
98.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (1)
horde/groupware
< 5.2.17
Published
Apr 04, 2017
Tracked Since
Feb 18, 2026