CVE-2022-26874

NameCVE-2022-26874
Descriptionlib/Horde/Mime/Viewer/Ooo.php in Horde Mime_Viewer before 2.2.4 allows XSS via an OpenOffice document, leading to account takeover in Horde Groupware Webmail Edition. This occurs after XSLT rendering.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3045-1, DLA-3089-1, DLA-3924-1, ELA-1132-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-horde-mime-viewer (PTS)jessie, jessie (lts)2.0.7-2+deb8u1fixed
stretch (security), stretch (lts), stretch2.2.1-1+deb9u1fixed
buster (security), buster, buster (lts)2.2.2-3+deb10u1fixed
bullseye2.2.2+debian0-2vulnerable
bullseye (security)2.2.4+debian0-2~deb11u1fixed
sid, bookworm2.2.4+debian0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-horde-mime-viewersourcejessie2.0.7-2+deb8u1ELA-1132-1
php-horde-mime-viewersourcestretch2.2.1-1+deb9u1DLA-3045-1
php-horde-mime-viewersourcebuster2.2.2-3+deb10u1DLA-3089-1
php-horde-mime-viewersourcebullseye2.2.4+debian0-2~deb11u1DLA-3924-1
php-horde-mime-viewersource(unstable)2.2.4+debian0-1

Notes

https://blog.sonarsource.com/horde-webmail-account-takeover-via-email/
Introduced by: https://github.com/horde/Mime_Viewer/commit/325a7ae2663dd9c50e85fe515033454669f16f28
Fixed by: https://github.com/horde/Mime_Viewer/commit/86f4f265adc45c39f891dea4ba5f22fb2a338618 (2.2.3)
Followup: https://github.com/horde/Mime_Viewer/commit/02b46cec1a7e8f1a6835b628850cd56b85963bb5 (2.2.4)

Search for package or bug name: Reporting problems