Researchers release details of unpatched security flaw

Zero-day XSS vulnerability in Horde webmail client can be triggered by file preview function

A zero-day cross-site scripting (XSS) vulnerability in Horde webmail client could allow an attacker to steal a victim’s emails and infiltrate their network, researchers warn.

Horde webmail client is an open source email service from the Horde project.

Researchers from SonarSource revealed in a blog post on February 23 that the client is vulnerable to a stored XSS vulnerability that is yet to be patched.

Read more of the latest security vulnerability news

The stored XSS is triggered by the process of rendering an OpenOffice file into a viewable format.

An OpenOffice document is a ZIP file containing XML documents and other files.

When Horde is asked to convert an OpenOffice document to HTML to be previewed, it uses XSLT (eXtensible Stylesheet Language Transformations).

The researchers noted that this converted document is returned to the user without any sanitization.

“This means that if an attacker could craft an OpenOffice document that leads to JavaScript injection in the resulting XHTML, then a XSS vulnerability occurs,” Simon Scannell, the author of the blog post, wrote.

Scannell added: “The XSS payload triggers and gives an attacker full access to their session. This means the attacker can steal all emails and, in a worst-case scenario, even execute arbitrary system commands if the victim has the administrator role.”


The security flaw can give an attacker access to all information a victim has stored in their email account and could allow them to gain further access to the internal services of an organization.

SonarSource said it reported the issue to the Horde project in August 2021 but failed to receive a response.

The company went public with its findings this week despite no patch being available and advised users to apply alternative mitigations.

“This can be done easily by disabling the affected feature, which does not have a big impact on the usability of the software,” Scannell said.

Users will still be able to download the OpenOffice documents and view them locally, but Horde won’t attempt to render it in the browser.

“By releasing the vulnerability and patch details, we hope to raise visibility and to enable administrators to secure their servers,” added Scannell.

The Daily Swig has reached out to the Horde project for comment but has not heard back.

YOU MAY ALSO LIKE Zero-day RCE flaw among multiple bugs found in Extensis Portfolio – research