CVE-2017-7413

HIGH

Horde_Crypt <2.7.6 - Command Injection

Title source: llm
STIX 2.1

Description

In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur if the attacker is an authenticated Horde Webmail user, has PGP features enabled in their preferences, and attempts to encrypt an email addressed to a maliciously crafted email address.

References (2)

Core 2
Core References
Mailing List, Vendor Advisory x_refsource_confirm
https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html

Scores

CVSS v3 8.8
EPSS 0.4045
EPSS Percentile 98.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (1)
horde/groupware < 5.2.17
Published Apr 04, 2017
Tracked Since Feb 18, 2026