“Horde Groupware Webmail Edition is a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks and notes with the standards compliant components from the Horde Project. Horde Groupware Webmail Edition bundles the separately available applications IMP, Ingo, Turba, Kronolith, Nag, Mnemo, Gollem, and Trean.”. For more information visit http://www.horde.org/apps/webmail.
An authenticated user can attach a SVG image file to an email, once the upload of the file is finished the image will be available at
/services/images/view.php endpoint mentioned above).
which translates to
An unauthenticated attacker might be able to gain access to the victim’s webmail by making them visit an SVG URL which triggers the stored XSS vulnerability.
/services/images/view.php now sets the
Content-disposition: attachment HTTP header, forcing the web browser to download the image.
Upgrade to Horde Groupware Webmail 5.2.22 or later.
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
This advisory was first published on https://www.shielder.it/it/advisories/horde-groupware-webmail-stored-cross-site-scripting-xss-via-svg/
20 April 2020