CVE-2022-30287
published 2022-07-28CVE-2022-30287: Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads…
PriorityP261high8CVSS 3.1
AVNACLPRLUIRSUCHIHAH
EPSS
70.28%
99.3th percentile
Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | php-horde-turba | < php-horde-turba 4.2.25-6 (bookworm) | php-horde-turba 4.2.25-6 (bookworm) |
| horde | groupware | <= 5.2.22 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability affects Horde Groupware Webmail Edition through version 5.2.22; monitor for exploitation attempts involving reflection injection leading to arbitrary PHP object deserialization ↗
- ·Scope of exploitation is listed as local, limiting remote attack surface; however, deserialization of PHP objects can still lead to significant impact if an attacker has local or authenticated access ↗
- ·Fixed versions are available for Debian: bookworm (4.2.25-6), bullseye (4.2.25-5+deb11u2), and sid (4.2.25-6); ensure patched packages are deployed ↗
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
osv8.0HIGH
vendor_debian8.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fjfv-mw3h-74w5: Horde Groupware Webmail Edition through 5
ghsa_unreviewed·2022-07-29
CVE-2022-30287 [HIGH] CWE-352 GHSA-fjfv-mw3h-74w5: Horde Groupware Webmail Edition through 5
Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects.
OSV
CVE-2022-30287: Horde Groupware Webmail Edition through 5
osv·2022-07-28·CVSS 8.0
CVE-2022-30287 [HIGH] CVE-2022-30287: Horde Groupware Webmail Edition through 5
Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects.
Debian
CVE-2022-30287: php-horde-turba - Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection att...
vendor_debian·2022·CVSS 8.0
CVE-2022-30287 [HIGH] CVE-2022-30287: php-horde-turba - Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection att...
Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects.
Scope: local
bookworm: resolved (fixed in 4.2.25-6)
bullseye: resolved (fixed in 4.2.25-5+deb11u2)
sid: resolved (fixed in 4.2.25-6)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://blog.sonarsource.com/horde-webmail-rce-via-email/https://lists.debian.org/debian-lts-announce/2022/08/msg00022.htmlhttps://www.horde.org/apps/webmailhttps://blog.sonarsource.com/horde-webmail-rce-via-email/https://lists.debian.org/debian-lts-announce/2022/08/msg00022.htmlhttps://lists.debian.org/debian-lts-announce/2024/10/msg00014.htmlhttps://www.horde.org/apps/webmail
2022-07-28
Published