CVE-2017-7414

HIGH

Horde_Crypt <2.7.6 - Command Injection

Title source: llm
STIX 2.1

Description

In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user's preferences, and has enabled the "Should PGP signed messages be automatically verified when viewed?" preference. To exploit this vulnerability, an attacker can send a PGP signed email (that is maliciously crafted) to the Horde user, who then must either view or preview it.

References (2)

Core 2
Core References
Mailing List, Vendor Advisory x_refsource_confirm
https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html

Scores

CVSS v3 7.5
EPSS 0.0125
EPSS Percentile 65.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (20)
horde/groupware 5.0.0 (2 CPE variants)
horde/groupware 5.0.1
horde/groupware 5.0.2
horde/groupware 5.0.3
horde/groupware 5.0.4
horde/groupware 5.0.5
horde/groupware 5.1.0 (2 CPE variants)
horde/groupware 5.1.1
horde/groupware 5.1.2
horde/groupware 5.1.3
... and 10 more
Published Apr 04, 2017
Tracked Since Feb 18, 2026