Debian Php-Horde-Form vulnerabilities

CVE-2020-8866 [MEDIUM] CVE-2020-8866: php-horde-form - This vulnerability allows remote attackers to create arbitrary files on affected... This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. A

CVE-2019-9858 [HIGH] CVE-2019-9858: php-horde-form - Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.1... Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsa