Companies and users who use the Horde Webmail program to access their emails have been warned by experts to modify the default configuration of Horde Webmail immediately.
Recently, it was revealed that a default feature of Horde Webmail had an unpatched, nine-year-old security hole that threat actors might use to get full access to email accounts.
Horde has a coding vulnerability that allows an attacker to obtain complete control of a victim's email account by loading the preview of a seemingly harmless email attachment.
This allows the attacker access to all sensitive and perhaps secret information saved in the victim's email account, as well as the ability to obtain further access to an organization's internal services.
Horde Webmail is a popular client that comes pre-installed with the cPanel control panel, which is used by a large number of hosting firms and millions of website administrators.
The weakness in Horde Webmail is found in one of the client's basic functions, which accepts OpenOffice documents and makes previews of them inside the browser.
This security weakness is an XSS (cross-site scripting) vulnerability that was first discovered 9 years ago with commit 325a7ae. An attacker may create a malicious OpenOffice document, which would then be converted to XHTML for the Horde to access.
The Horde may start the execution of a malicious JavaScript payload at this point when it creates the preview of the modified XHTML.
There's no patch, but there is a way to stop it.
While there is still no official patch for this vulnerability, you may still protect yourself from such attacks.
You should do this:
In the Horde webmail app, you must disable the rendering of OpenOffice attachments.