We have disabled the Horde Webmail on all MechanicWeb servers.
Description
An RCE vulnerability was recently discovered in horde Webmail, which can be exploited with the only requirement being that the victim opens a malicious email.
The Horde Webmail vulnerability (CVE-2022-30287) can be abused with a single GET request, bringing cross-site request forgery (CSRF) into play. As a result, an attacker can craft a malicious email and include an external image that exploits the CSRF vulnerability when rendered.
The victim's clear-text credentials are also leaked to the attacker, potentially giving the adversary access to additional services used by the target organization.
Workaround
The cPanel development team is actively working on a resolution for this issue. The case number is CPANEL-40754. We will update this article when a solution is published.
Until then, Horde Webmail will remain disabled on all MechanicWeb servers.
More Information
https://support.cpanel.net/hc/en-us/articles/6483941705239
https://blog.sonarsource.com/horde-webmail-rce-via-email/
https://portswigger.net/daily-swig/horde-webmail-contains-zero-day-rce-bug-with-no-patch-on-the-horizon
CVE Link
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30287
Sunday, June 12, 2022