CVE-2020-8866

MEDIUM

Horde Groupware Webmail Edition 5.2.22 - RCE

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-8866. PoCs published by Andrea Cardaci.

AI-analyzed exploit summary This exploit targets a file inclusion vulnerability in Horde Webmail, allowing an authenticated attacker to upload a malicious .inc file and include it via a path traversal in the 'trean_Block_Bookmarks' block, leading to remote code execution.

Description

This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125.

Exploits (2)

exploitdb WORKING POC

by Andrea Cardaci · pythonwebappsphp

https://www.exploit-db.com/exploits/48209

View Code ZIP pw:eip

This exploit targets a file inclusion vulnerability in Horde Webmail, allowing an authenticated attacker to upload a malicious .inc file and include it via a path traversal in the 'trean_Block_Bookmarks' block, leading to remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Horde Webmail (version not specified, but CVE-2020-8866 affects versions before 5.2.22)

Auth required

Prerequisites: Valid credentials for the Horde Webmail instance · Access to the target's /tmp directory for file upload

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Andrea Cardaci · pythonwebappsphp

https://www.exploit-db.com/exploits/48210

View Code ZIP pw:eip

This exploit leverages PHAR deserialization in Horde Webmail to achieve remote code execution by uploading a malicious PHAR file, triggering its deserialization via a syndicated feed block, and executing arbitrary PHP code.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Horde Webmail (versions affected by CVE-2020-8866)

Auth required

Prerequisites: Valid credentials for Horde Webmail · Ability to upload files to the temporary directory · PHP execution environment

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry x_refsource_misc

https://www.zerodayinitiative.com/advisories/ZDI-20-275/

Mailing List, Vendor Advisory x_refsource_misc

https://lists.horde.org/archives/announce/2020/001288.html

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2020/03/msg00036.html

Scores

CVSS v3 6.5

EPSS 0.0958

EPSS Percentile 94.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-434

Status published

Products (3)

debian/debian_linux 8.0

horde/groupware 5.2.22

horde/horde_form < 2.0.20

Published Mar 23, 2020

Tracked Since Feb 18, 2026