CVE-2022-30287

HIGH

Horde Groupware < 5.2.22 - Insecure Deserialization

Title source: rule

Description

Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects.

References (4)

[Exploit, Third Party Advisory] https://blog.sonarsource.com/horde-webmail-rce-via-email/

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/08/msg00022.html

[Release Notes, Vendor Advisory] https://www.horde.org/apps/webmail

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/10/msg00014.html

Scores

CVSS v3 8.0

EPSS 0.1553

EPSS Percentile 94.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502 CWE-470

Status published

Affected Products (2)

horde/groupware < 5.2.22

debian/debian_linux

Timeline

Published Jul 28, 2022

Tracked Since Feb 18, 2026