5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.054 Low
EPSS
Percentile
93.2%
## Vulnerability Summary
The following advisory describes an unauthorized file download vulnerability found in Horde Groupware version 5.2.21.
Horde Groupware Webmail Edition is โa free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project. Horde Groupware Webmail Edition bundles the separately available applications IMP, Ingo, Kronolith, Turba, Nag, Mnemo, Gollem, and Trean.โ
## Credit
An independent security researcher, Juan Pablo Lopez Yacubian, has reported this vulnerability to Beyond Securityโs SecuriTeam Secure Disclosure program.
## Vendor response
Horde Groupware was informed of the vulnerability, to which they response with:
โthis has already been reported earlier by someone else, and is already fixed in the latest Gollem and Horde Groupware releases.
Besides that, itโs not sufficient to have a list of the serverโs users, you also need to exactly know the file name and path that you want to download. Finally, this only works on certain backends, where Horde alone is responsible for authentication, i.e. it wonโt work with backends that require explicit authentication.โ
CVE: CVE-2017-15235
## Vulnerability details
User controlled input is not sufficiently sanitized when passed to File Manager (gollem) module (version 3.0.11).
The โfnโ parameter does not validate certain met characters by causing the requested file or filesystem to be downloaded without credentials.
It is only necessary to know the username and the file name.
## Proof of Concept
```
User = this is the username in horde
/ = the Meta character /
/services/download/?app=gollem&dir=%2Fhome%2Fuser&backend=sqlhome&fn=/test.php
```
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.054 Low
EPSS
Percentile
93.2%