A new unpatched security vulnerability has been disclosed in the open-source Horde Webmail client that could be exploited to achieve remote code execution on the email server simply by sending a specially crafted email to a victim.
"Once the email is viewed, the attacker can silently take over the complete mail server without any further user interaction," SonarSource said in a report shared with The Hacker News. "The vulnerability exists in the default configuration and can be exploited with no knowledge of a targeted Horde instance."
The issue, which has been assigned the CVE identifier CVE-2022-30287, was reported to the vendor on February 2, 2022. The maintainers of the Horde Project did not immediately respond to a request for comment regarding the unresolved vulnerability.
At its core, the issue makes it possible for an authenticated user of a Horde instance to run malicious code on the underlying server by taking advantage of a quirk in how the client handles contact lists.
This can then be weaponized in conjunction with a cross-site request forgery (CSRF) attack to trigger the code execution remotely.
CSRF, also called session riding, happens when a web browser is tricked into executing a malicious action in an application to which a user is logged in. It exploits the trust a web application has in an authenticated user.
"As a result, an attacker can craft a malicious email and include an external image that when rendered exploits the CSRF vulnerability without further interaction of a victim: the only requirement is to have a victim open the malicious email."
The disclosure comes a little over three months after another nine-year-old bug in the software came to light, which could permit an adversary to gain complete access to email accounts by previewing an attachment. This issue has since been resolved as of March 2, 2022.
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
In light of the fact that Horde Webmail is no longer actively maintained since 2017 and dozens of security flaws have been reported in the productivity suite, users are recommended to switch to an alternative service.
"With so much trust being placed into webmail servers, they naturally become a highly interesting target for attackers," the researchers said.
"If a sophisticated adversary could compromise a webmail server, they can intercept every sent and received email, access password-reset links, sensitive documents, impersonate personnel, and steal all credentials of users logging into the webmail service."