← back
CVE-2021-26929

CVE-2021-26929

EPSS 4.9%
An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with XSS defenses.
Affected products
n/a · n/a
public PoCs found3
cve_referencepacketstormsecurity.com/files/162187/Webmail-Edition-5.2.22-XSS-Remote-Code-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/162194/Horde-Groupware-Webmail-5.2.22-Cross-Site-Scripting.htmlunverifiedexploitdbwww.exploit-db.com/exploits/49769unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/162187/Webmail-Edition-5.2.22-XSS-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/162194/Horde-Groupware-Webmail-5.2.22-Cross-Site-Scripting.htmlhttps://github.com/horde/webmail/releaseshttps://lists.debian.org/debian-lts-announce/2021/02/msg00028.htmlhttps://lists.horde.org/archives/announce/2021/001298.htmlhttps://www.alexbirnberg.com/horde-xss.htmlhttps://www.horde.org/apps/webmail