We have disabled the Horde Webmail on all MechanicWeb servers.
An RCE vulnerability was recently discovered in horde Webmail, which can be exploited with the only requirement being that the victim opens a malicious email.
The Horde Webmail vulnerability (CVE-2022-30287) can be abused with a single GET request, bringing cross-site request forgery (CSRF) into play. As a result, an attacker can craft a malicious email and include an external image that exploits the CSRF vulnerability when rendered.
The victim's clear-text credentials are also leaked to the attacker, potentially giving the adversary access to additional services used by the target organization.
The cPanel development team is actively working on a resolution for this issue. The case number is CPANEL-40754. We will update this article when a solution is published.
Until then, Horde Webmail will remain disabled on all MechanicWeb servers.
Sunday, June 12, 2022