CVE-2017-7414 — OS Command Injection in Groupware

CWE-78 — OS Command Injection5 documents5 sources

Severity

7.5HIGHNVD

EPSS

1.3%

top 20.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Horde Groupware

Timeline

PublishedApr 4

Latest updateMay 13

Description

In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user's preferences, and has enabled the "Should PGP signed messages be automatically verified when viewed?" preference. To exploit this vulnerability, an attacker can send a PGP signed email (that is maliciously crafted) to the Horde user, who then must either view or preview it.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages1 packages

▶NVDhorde/groupware20 versions+19

🔴Vulnerability Details

GHSA

GHSA-66jj-9jf3-x628: In Horde_Crypt before 2↗2022-05-13

▶

CVEList

CVE-2017-7414: In Horde_Crypt before 2↗2017-04-04

▶

OSV

CVE-2017-7414: In Horde_Crypt before 2↗2017-04-04

▶

📋Vendor Advisories

Debian

CVE-2017-7414: php-horde-crypt - In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x thro...↗2017

▶