Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails < = v5.2.22

# Title: Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails # _____________________________________________________________________________________________________ # Reflected XSS to Remote Command Execution, Remote Code Execution and SQL Injection: # http://webmail.victimserver.com/groupware/admin/user.php?user_name=XSS-PAYLOAD-HERE&form=update_f # http://webmailvictimserver.com/groupware/admin/user.php?user_name=XSS-PAYLOAD-HERE&form=remove_f # http://webmail.victimserver.com/groupware/admin/config/diff.php?app=XSS-PAYLOAD-HERE # Attacker can execute commands & PHP codes remotely and inject harmful SQL queries. # Also, attacker can create users too with those reflected XSS vulnerabilities. # Stay Secure with InfinitumIT - infinitumit.com.tr