cbcvebase.
CVE-2020-8518
published 2020-02-17

CVE-2020-8518: Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
71.14%
99.3th percentile
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.

Affected

5 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianphp-horde-data< php-horde-data 2.1.5-1 (bookworm)php-horde-data 2.1.5-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
hordegroupware

Detection & IOCsextracted from sources · hover to see the quote

path/mnemo/data.php
commandpassthru(base64_decode(...))
cookiehorde_secret_key
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible CVE-2020-8518 (Horde Groupware RCE)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"data.php"; endswith; http.request_body; content:"|22 3b 20|filename=|22|"; content:"|2e|passthru|28|"; content:"|2e|die|28 29 3b|"; distance:0; http.header_names; content:"horde_secret_key|0d 0a|"; nocase; fast_pattern; reference:url,cardaci.xyz/advisories/2020/03/10/horde-groupware-webmail-edition-5.2.22-rce-in-csv-data-import/; reference:cve,2020-8518; classtype:attempted-admin; sid:2029636; rev:3; metadata:attack_target Web_Server, created_at 2020_03_13, cve CVE_2020_8518, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_11_07;)
  • Exploit sends a POST to /mnemo/data.php with actionID=11 and import_format=csv to upload a dummy file, followed by a second POST with actionID=3, import_step=2, and a crafted 'quote' parameter containing injected PHP (passthru/base64_decode/die) to trigger RCE.
  • The injected PHP payload is base64-encoded and passed via the 'quote' POST parameter; look for base64-encoded strings in the 'quote' field of CSV import requests to /mnemo/data.php.
  • The exploit requires prior authentication; monitor for login attempts to /login.php with horde_user/horde_pass POST parameters followed immediately by requests to /mnemo/data.php.
  • The Emergingthreats Snort/Suricata rule (SID 2029636) detects this exploit by matching POST to a URI ending in data.php, with request body containing the byte sequences for '; filename="', '.passthru(', and '.die();', plus the horde_secret_key header.
  • The two-stage attack first uploads a dummy file (actionID=11, import_step=1) to establish a session context, then injects PHP in the second request (actionID=3, import_step=2); both stages should be correlated for high-confidence detection.
  • ·The vulnerability is present in Horde_Data module version 2.1.4 and earlier; the fix is in version 2.1.5. Debian packages resolved this in version 2.1.5-1 across bookworm, bullseye, and sid.
  • ·Exploitation requires valid credentials; unauthenticated attackers cannot directly exploit this vulnerability.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.