Buyers of Horde Webmail are being urged to disable a aspect to contain a 9-yr-aged unpatched security vulnerability in the software package that could be abused to gain finish obtain to email accounts simply by previewing an attachment.
“This presents the attacker obtain to all delicate and maybe solution information and facts a target has saved in their email account and could let them to gain further more accessibility to the inside solutions of an group,” SonarSource vulnerability researcher, Simon Scannell, stated in a report.
An “all volunteer project,” the Horde Challenge is a cost-free, browser-centered conversation suite that allows consumers to browse, mail, and organize email messages as very well as handle and share calendars, contacts, responsibilities, notes, information, and bookmarks.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The flaw, which was introduced as part of a code improve pushed on November 30, 2012, relates to a circumstance of an “strange” stored cross-website scripting flaw (aka persistent XSS) that enables an adversary to craft an OpenOffice document in this sort of a method that when it is previewed, it mechanically executes arbitrary JavaScript payload.
Saved XSS attacks come up when a destructive script is injected specifically into a susceptible web application’s server, these kinds of as a comment industry of a internet site, resulting in the untrusted code to be retrieved and transmitted to the victim’s browser each individual time the stored information is requested.
“The vulnerability triggers when a qualified person sights an attached OpenOffice document in the browser,” Scannell explained. “As a result, an attacker can steal all emails the target has sent and been given.”
Even worse, must an administrator account with a personalised, malicious email is correctly compromised, the attacker could abuse this privileged entry to take around the entire webmail server.
The shortcoming was initially noted to the job maintainers on August 26, 2021, but to day no fixes have been transported even with confirmation from the vendor acknowledging the flaw. We have achieved out to Horde for more remark, and we will update if we listen to again.
In the interim, Horde Webmail buyers are suggested to disable the rendering of OpenOffice attachments by editing the config/mime_drivers.php file to add the ‘disable’ => true configuration choice to OpenOffice mime handler.
Observed this posting attention-grabbing? Follow THN on Facebook, Twitter and LinkedIn to read a lot more exceptional articles we put up.
Some pieces of this write-up are sourced from:
thehackernews.com