Home > Vulnerability Database > CVE-2020-8866

Mend.io Vulnerability Database

CVE-2020-8866

Good to know:

Date: March 23, 2020

This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125.

Language: PHP

Severity Score

9.3

Related Resources (7)

Url: https://security-tracker.debian.org/tracker/CVE-2020-8866

Url: https://lists.horde.org/archives/announce/2020/001288.html

Url: https://www.zerodayinitiative.com/advisories/ZDI-20-275/

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-8866

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8866

Url: https://lists.debian.org/debian-lts-announce/2020/03/msg00036.html

Url: https://www.mend.io/vulnerability-database/CVE-2020-8866

Severity Score

9.3

Weakness Type (CWE)

Unrestricted Upload of File with Dangerous Type

CWE-434

Top Fix

Upgrade Version

Upgrade to version Form - 2.0.20

Learn More

CVSS v3.1

Base Score:	9.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	7.1
Access Vector (AV):
Access Complexity (AC):
Authentication (AU):
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	LOW
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-8866

Good to know:

Date: March 23, 2020

Language: PHP

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?