4
CVSSv2

CVE-2020-8866

Published: 23/03/2020 Updated: 30/03/2020
CVSS v2 Base Score: 4 | Impact Score: 2.9 | Exploitability Score: 8
CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8
Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N

Vulnerability Summary

This vulnerability allows remote malicious users to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

horde groupware 5.2.22

Vendor Advisories

Debian Bug report logs - #955020 php-horde-form: CVE-2020-8866 Package: src:php-horde-form; Maintainer for src:php-horde-form is Horde Maintainers <team+debian-horde-team@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 26 Mar 2020 21:15:01 UTC Severity: important Tags: security, ...

Exploits

## exploit-phar-loadingpy #!/usr/bin/env python3 from horde import Horde import requests import subprocess import sys TEMP_DIR = '/tmp' WWW_ROOT = '/var/www/html' if len(sysargv) < 5: print('Usage: <base_url> <username> <password> <filename> <php_code>') sysexit(1) base_url = sysargv[1] username = sys ...
## exploit-inc-inclusionpy #!/usr/bin/env python3 from horde import Horde import subprocess import sys TEMP_DIR = '/tmp' if len(sysargv) < 5: print('Usage: <base_url> <username> <password> <filename> <php_code>') sysexit(1) base_url = sysargv[1] username = sysargv[2] password = sysargv[3] filename = ...