CVE-2020-8865

MEDIUM

Horde Groupware Webmail Edition 5.2.22 - RCE

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-8865.

AI-analyzed exploit summary This exploit leverages a file inclusion vulnerability in Horde Webmail to achieve remote code execution by uploading a malicious .inc file to a temporary directory and then including it via a manipulated bookmark block parameter. The exploit chain involves authentication, file upload, and path traversal to trigger the inclusion.

Description

This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within edit.php. When parsing the params[template] parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10469.

Exploits (2)

exploitdb WORKING POC

pythonwebappsphp

https://www.exploit-db.com/exploits/48209

View Code ZIP pw:eip

This exploit leverages a file inclusion vulnerability in Horde Webmail to achieve remote code execution by uploading a malicious .inc file to a temporary directory and then including it via a manipulated bookmark block parameter. The exploit chain involves authentication, file upload, and path traversal to trigger the inclusion.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Horde Webmail (specific version not specified, but CVE-2020-8865 affects Horde Groupware Webmail Edition 5.2.22 and earlier)

Auth required

Prerequisites: Valid credentials for the Horde Webmail application · Network access to the target application · Ability to upload files to the temporary directory

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 19, 2026 Full analysis →

exploitdb WORKING POC

pythonwebappsphp

https://www.exploit-db.com/exploits/48210

View Code ZIP pw:eip

This exploit leverages PHAR deserialization in Horde Webmail to achieve remote code execution by uploading a malicious PHAR file, triggering its deserialization via a syndicated feed block, and executing arbitrary PHP code.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Horde Webmail (version not specified, but CVE-2020-8865 affects Horde Groupware Webmail Edition 5.2.22 and earlier)

Auth required

Prerequisites: Valid credentials for Horde Webmail · Ability to upload files to the /tmp directory · PHP PHAR extension enabled on the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry x_refsource_misc

https://www.zerodayinitiative.com/advisories/ZDI-20-276/

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2020/04/msg00009.html

Scores

CVSS v3 6.3

EPSS 0.0681

EPSS Percentile 93.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-22 CWE-23

Status published

Products (2)

debian/debian_linux 8.0

horde/groupware 5.2.22

Published Mar 23, 2020

Tracked Since Feb 18, 2026