9-Year-Old Unpatched Email Hacking Bug Uncovered in Horde Webmail Software

Users of Horde Webmail are being urged to disable a feature to contain a nine-year-old unpatched security vulnerability in the software that could be abused to gain complete access to email accounts simply by previewing an attachment.

“This gives the attacker access to all sensitive and perhaps secret information a victim has stored in their email account and could allow them to gain further access to the internal services of an organization,” SonarSource vulnerability researcher, Simon Scannell, said in a report.

An “all volunteer project,” the Horde Project is a free, browser-based communication suite that allows users to read, send, and organize email messages as well as manage and share calendars, contacts, tasks, notes, files, and bookmarks.

The flaw, which was introduced as part of a code change pushed on November 30, 2012, relates to a case of an “unusual” stored cross-site scripting flaw (aka persistent XSS) that allows an adversary to craft an OpenOffice document in such a manner that when it’s previewed, it automatically executes arbitrary JavaScript payload.

Stored XSS attacks arise when a malicious script is injected directly into a vulnerable web application’s server, such as a comment field of a website, causing the untrusted code to be retrieved and transmitted to the victim’s browser every time Read more:https://bit.ly/35jFkyv

Leave a Reply

Your email address will not be published. Required fields are marked *