CVE-2022-30287 — Unsafe Reflection in Groupware

CWE-470 — Unsafe Reflection CWE-502 — Deserialization of Untrusted Data CWE-352 — Cross-Site Request Forgery5 documents5 sources

Severity

8.0HIGHNVD

EPSS

15.5%

top 5.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Horde Groupware Debian Linux

Timeline

PublishedJul 28

Latest updateJul 29

Description

Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 2.1 | Impact: 5.9

Affected Packages1 packages

▶NVDhorde/groupware5.2.22

Also affects: Debian Linux 10.0

🔴Vulnerability Details

GHSA

GHSA-fjfv-mw3h-74w5: Horde Groupware Webmail Edition through 5↗2022-07-29

▶

CVEList

CVE-2022-30287: Horde Groupware Webmail Edition through 5↗2022-07-28

▶

OSV

CVE-2022-30287: Horde Groupware Webmail Edition through 5↗2022-07-28

▶

📋Vendor Advisories

Debian

CVE-2022-30287: php-horde-turba - Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection att...↗2022

▶