CVE-2020-8866

EUVD-2020-29708

23.03.2020, 21:15

This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
zdi	CNA	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 87%

Affected Products (NVD)

Vendor	Product	Version
horde	groupware	5.2.22
horde	horde_form	𝑥 < 2.0.20
debian	debian_linux	8.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

php-horde-form

bookworm	2.0.20-2 fixed
bullseye	2.0.20-2 fixed
sid	2.0.20-2 fixed
trixie	2.0.20-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

php-horde-form

bionic	needs-triage
eoan	ignored
focal	dne
groovy	dne
hirsute	dne
impish	dne
jammy	dne
kinetic	dne
lunar	dne
mantic	dne
noble	dne
trusty	dne
xenial	needs-triage

Common Weakness Enumeration

CWE-434 - Unrestricted Upload of File with Dangerous Type
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

References

https://lists.debian.org/debian-lts-announce/2020/03/msg00036.html

https://lists.horde.org/archives/announce/2020/001288.html

https://www.zerodayinitiative.com/advisories/ZDI-20-275/

https://lists.debian.org/debian-lts-announce/2020/03/msg00036.html

https://lists.horde.org/archives/announce/2020/001288.html

https://www.zerodayinitiative.com/advisories/ZDI-20-275/