CVE-2017-7414
published 2017-04-04CVE-2017-7414: In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled…
PriorityP337high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EPSS
1.25%
65.7th percentile
In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user's preferences, and has enabled the "Should PGP signed messages be automatically verified when viewed?" preference. To exploit this vulnerability, an attacker can send a PGP signed email (that is maliciously crafted) to the Horde user, who then must either view or preview it.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-horde-crypt | < php-horde-crypt 2.7.5-2 (bookworm) | php-horde-crypt 2.7.5-2 (bookworm) |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
| horde | groupware | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2017-7414: php-horde-crypt - In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x thro...
vendor_debian·2017·CVSS 7.5
CVE-2017-7414 [HIGH] CVE-2017-7414: php-horde-crypt - In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x thro...
In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user's preferences, and has enabled the "Should PGP signed messages be automatically verified when viewed?" preference. To exploit this vulnerability, an attacker can send a PGP signed email (that is maliciously crafted) to the Horde user, who then must either view or preview it.
Scope: local
bookworm: resolved (fixed in 2.7.5-2)
bullseye: resolved (fixed in 2.7.5-2)
sid: resolved (fixed in 2.7.5-2)
GHSA
GHSA-66jj-9jf3-x628: In Horde_Crypt before 2
ghsa_unreviewed·2022-05-13
CVE-2017-7414 [HIGH] CWE-78 GHSA-66jj-9jf3-x628: In Horde_Crypt before 2
In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user's preferences, and has enabled the "Should PGP signed messages be automatically verified when viewed?" preference. To exploit this vulnerability, an attacker can send a PGP signed email (that is maliciously crafted) to the Horde user, who then must either view or preview it.
OSV
CVE-2017-7414: In Horde_Crypt before 2
osv·2017-04-04·CVSS 7.5
CVE-2017-7414 [HIGH] CVE-2017-7414: In Horde_Crypt before 2
In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user's preferences, and has enabled the "Should PGP signed messages be automatically verified when viewed?" preference. To exploit this vulnerability, an attacker can send a PGP signed email (that is maliciously crafted) to the Horde user, who then must either view or preview it.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2017-04-04
Published