UPS-430 - Horde Webmail 5.2.22 - Account Takeover via Email

DJPRMF

• February 22, 2022 12:09

Just to know if cPanel team is currently working in fix this issue (or is already fixed)

• 

  cPRex Jurassic Moderator

  • February 22, 2022 17:48

  Hey there! We are tracking this case with UPS-430. Our team hasn't decided how to handle that just yet, but I'll be sure to post updates as soon as I get them.

  0
• 

  rainboy

  • February 23, 2022 16:55

  Any News on this ? Its a standard configured application in cpanel, the work around would be not to hard to push.

  0
• 

  cPRex Jurassic Moderator

  • February 23, 2022 17:53

  I don't have any other updates just yet.

  0
• 

  ITHKBO

  • March 07, 2022 13:17

  Rex has there been any confirmation that the Horde release version from cPanel is even vulnerable to the mentioned attack under default configuration? I have not been able to find the required processor code under /usr/local/cpanel/base/horde/imp/config/mime_drivers.php We ran a test here on 100.0.11 and 102.0.6 but on default cPanel configuration we were not able to get any ooo document preview working in conjunction with extention .xslt

  0
• 

  cPRex Jurassic Moderator

  • March 07, 2022 16:33

  I'm having our security team check and confirm those findings now - I'll post back once I have an udpate.

  0
• 

  cPRex Jurassic Moderator

  • March 08, 2022 20:01

  So far, we haven't been able to reproduce the specific vulnerability on a standard cPanel installation, so that's good news!

  0
• 

  cPRex Jurassic Moderator

  • May 04, 2022 15:53

  Update - we've ensured the latest packages released for cpanel-php74-horde do not have this issue. Specifically this is the cpanel-php74-horde-5.2.23-4.cp11102 package, which will be available soon.

  0

Please sign in to leave a comment.