CVE-2017-7414 php-horde-crypt


2017-12-29 22:41
2017-06-18 07:51
2017-06-16 19:22
2017-05-28 05:03
2017-05-03 11:03
2017-04-13 05:03
2017-04-06 05:03
2017-04-05 13:03


In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user's preferences, and has enabled the "Should PGP signed messages be automatically verified when viewed?" preference. To exploit this vulnerability, an attacker can send a PGP signed email (that is maliciously crafted) to the Horde user, who then must either view or preview it.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
buster php-horde-crypt 2.7.5-2
jessie php-horde-crypt None
sid php-horde-crypt 2.7.5-2
stretch php-horde-crypt 2.7.5-2