Recently, a code vulnerability has been discovered in Horde, a commonly used webmail that is in use with the control panel, cPanel, which allows an authenticated user to execute arbitrary code on the underlying server. This vulnerability has been assigned CVE (Common Vulnerability and Exposures) of CVE-2022-30287.
This vulnerability can be exploited with relative ease with a single GET request that can be triggered via Cross Site Request Forgery. The attacker only needs to craft a malicious email and include an external image that exploits this vulnerability without and future actions of the victim because simply opening the malicious email.
Additionally, the attacker can easily gain the clear text credentials of the victim through this vulnerability.
At the time of writing this, the vendor has not released a patch.
Actions Taken
Do to the severity of this vulnerability and the ease in executing on it, we have taken the steps to disable access to Horde for the time being.
Is Other Webmail Available?
Yes, cPanel has always offer the option to use Horde or Roundcube, and Roundcube is still available to be used.