• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
new unpatched horde webmail bug lets hackers take over server

New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email

You are here: Home / General Cyber Security News / New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email
June 1, 2022

A new unpatched security vulnerability has been disclosed in the open up-source Horde Webmail client that could be exploited to attain remote code execution on the email server only by sending a specially crafted email to a victim.

“The moment the email is viewed, the attacker can silently take in excess of the finish mail server devoid of any more consumer conversation,” SonarSource claimed in a report shared with The Hacker Information. “The vulnerability exists in the default configuration and can be exploited with no understanding of a focused Horde instance.”

The issue, which has been assigned the CVE identifier CVE-2022-30287, was claimed to the vendor on February 2, 2022. The maintainers of the Horde Challenge did not instantly reply to a ask for for remark concerning the unresolved vulnerability.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


CyberSecurity

At its core, the issue can make it feasible for an authenticated consumer of a Horde occasion to operate destructive code on the fundamental server by getting edge of a quirk in how the customer handles call lists.

This can then be weaponized in relationship with a cross-web-site ask for forgery (CSRF) attack to trigger the code execution remotely.

CSRF, also referred to as session driving, happens when a web browser is tricked into executing a malicious motion in an software to which a user is logged in. It exploits the belief a web software has in an authenticated user.

“As a result, an attacker can craft a malicious email and incorporate an external graphic that when rendered exploits the CSRF vulnerability devoid of more conversation of a victim: the only prerequisite is to have a sufferer open up the malicious email.”

The disclosure comes a little more than 3 months after a different 9-calendar year-old bug in the software package arrived to gentle, which could allow an adversary to get finish access to email accounts by previewing an attachment. This issue has due to the fact been settled as of March 2, 2022.

CyberSecurity

In light-weight of the fact that Horde Webmail is no longer actively managed given that 2017 and dozens of security flaws have been documented in the productiveness suite, buyers are recommended to change to an alternate company.

“With so significantly have confidence in being put into webmail servers, they the natural way come to be a hugely

intriguing concentrate on for attackers,” the researchers reported.

“If a advanced adversary could compromise a webmail server, they can intercept each despatched and obtained email, obtain password-reset inbound links, delicate files, impersonate staff and steal all qualifications of end users logging into the webmail

service.”

Identified this posting appealing? Stick to THN on Facebook, Twitter  and LinkedIn to study extra exclusive information we write-up.


Some parts of this write-up are sourced from:
thehackernews.com

Previous Post: «flubot android spyware taken down by global law enforcement operation FluBot Android Spyware Taken Down by Global Law Enforcement Operation
Next Post: Connecticut Becomes Fifth US State to Enact Consumer Privacy Law Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Italy’s Privacy Watchdog Blocks ChatGPT Amid Privacy Concerns
  • Modular “AlienFox” Toolkit Used to Steal Cloud Service Credentials
  • New Azure Flaw “Super FabriXss” Enables Remote Code Execution Attacks
  • Winter Vivern APT Targets European Government Entities with Zimbra Vulnerability
  • MongoDB CISO: Don’t be afraid to simplify important issues for executives
  • Cyber Police of Ukraine Busted Phishing Gang Responsible for $4.33 Million Scam
  • Deep Dive Into 6 Key Steps to Accelerate Your Incident Response
  • Lazarus blamed for 3CX attack as byte-to-byte code match discovered
  • New Cylance Ransomware strain emerges, experts speculate about its notorious members
  • 3CX Supply Chain Attack — Here’s What We Know So Far

Copyright © TheCyberSecurity.News, All Rights Reserved.