CVE-2017-7413 — OS Command Injection in Groupware

CWE-78 — OS Command Injection5 documents5 sources

Severity

8.8HIGHNVD

EPSS

13.3%

top 5.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Horde Groupware

Timeline

PublishedApr 4

Latest updateMay 13

Description

In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur if the attacker is an authenticated Horde Webmail user, has PGP features enabled in their preferences, and attempts to encrypt an email addressed to a maliciously crafted email address.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDhorde/groupware5.2.17

🔴Vulnerability Details

GHSA

GHSA-xrq5-qhg4-5hvr: In Horde_Crypt before 2↗2022-05-13

▶

OSV

CVE-2017-7413: In Horde_Crypt before 2↗2017-04-04

▶

CVEList

CVE-2017-7413: In Horde_Crypt before 2↗2017-04-04

▶

📋Vendor Advisories

Debian

CVE-2017-7413: php-horde-crypt - In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through ...↗2017

▶