New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email

A brand new unpatched safety vulnerability has been disclosed within the open-source Horde Webmail consumer that could possibly be exploited to attain distant code execution on the e-mail server merely by sending a specifically crafted electronic mail to a sufferer.

“Once the e-mail is considered, the attacker can silently take over the entire mail server with none additional person interplay,” SonarSource mentioned in a report shared with The Hacker News. “The vulnerability exists within the default configuration and could be exploited with no information of a focused Horde occasion.”

The situation, which has been assigned the CVE identifier CVE-2022-30287, was reported to the seller on February 2, 2022. The maintainers of the Horde Project didn’t instantly reply to a request for remark concerning the unresolved vulnerability.


At its core, the problem makes it attainable for an authenticated person of a Horde occasion to run malicious code on the underlying server by making the most of a quirk in how the consumer handles contact lists.

This can then be weaponized along side a cross-site request forgery (CSRF) assault to set off the code execution remotely.

CSRF, additionally known as session using, occurs when an internet browser is tricked into executing a malicious motion in an utility to which a person is logged in. It exploits the belief an internet utility has in an authenticated person.

“As a consequence, an attacker can craft a malicious electronic mail and embody an exterior picture that when rendered exploits the CSRF vulnerability with out additional interplay of a sufferer: the one requirement is to have a sufferer open the malicious electronic mail.”

The disclosure comes just a little over three months after one other nine-year-old bug within the software program got here to gentle, which may allow an adversary to realize full entry to electronic mail accounts by previewing an attachment. This situation has since been resolved as of March 2, 2022.


In gentle of the truth that Horde Webmail is not actively maintained since 2017 and dozens of security flaws have been reported within the productiveness suite, customers are beneficial to modify to another service.

“With a lot belief being positioned into webmail servers, they naturally grow to be a extremely attention-grabbing goal for attackers,” the researchers mentioned.

“If a classy adversary may compromise a webmail server, they’ll intercept each despatched and obtained electronic mail, entry password-reset hyperlinks, delicate paperwork, impersonate personnel, and steal all credentials of customers logging into the webmail service.”

Related Posts