QUICK NEWS

{NEW} - A new css video is up.

{OLD} - New video courtesy of Skhilled, Thanks for posting it up.

Video of the moment:


Internal Links

SMF Sites

Quick Info

Horde email security vulnerability

Started by LandyVlad, Jun 11, 2022, 05:43 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

LandyVlad

My webhost advises:
QuoteOur Technical Operations team has disabled the Horde webmail interface on all our cPanel services. This is due to a recent vulnerability found within Horde which can be exploited by someone opening a malicious email.

We are asking all our customers to use Roundcube as a webmail interface instead while we wait for this vulnerability to be patched and fixed.

You can find out more about the vulnerability on the cPanel support site.

QuoteVE-2022-30287 RCE Vulnerability reportedly discovered in horde.
 Thomas Payne
2 days ago Updated
Symptoms
An RCE vulnerability was recently discovered in horde, which can be exploited with the only requirement being that the victim opens a malicious email. More information about this vulnerability is in the link below:

https://blog.sonarsource.com/horde-webmail-rce-via-email/

CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30287

Description
The discovered code vulnerability (CVE-2022-30287) allows an authenticated user of a Horde instance to execute arbitrary code on the underlying server. The vulnerability exists in the default configuration and can be exploited without knowledge of the configuration of the targeted Horde instance.

We've opened an internal case for our development team to investigate this further. For reference, the case number is CPANEL-40754. Follow this article to receive an email notification when a solution is published in the product.

 

Workaround
Our development team is actively working on a resolution for this issue. Until this is published, we recommend that our clients disable horde using the method below.

Sign into WHM as the Root user >> Tweak Settings >> Mail >> Enable Horde Webmail ( OFF )

Please do not PM me with questions on astrophysics or theology.  You will get better and faster responses by asking homeless people in the street. Thank you.

Skhilled

Thanks for reporting this! I'll do the same and alert my customers. :rgton

I know there was some talk last year about removing Horde due to lack of updates or something similar. But so far, they kept it available.

Oldiesmann

I've always used RoundCube (though I don't think Plesk even supports Horde in the first place)
Christian Metal Fans - https://www.christianmetal.fans