Source: php-horde-groupware X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerability was published for php-horde-groupware. CVE-2025-41066[0]: | Horde Groupware v5.2.22 has a user enumeration vulnerability that | allows an unauthenticated attacker to determine the existence of | valid accounts on the system. To exploit the vulnerability, an HTTP | request must be sent to ‘/imp/attachment.php’ including the | parameters ‘id’ and ‘u’. If the specified user exists, the server | will return the download of an empty file; if it does not exist, no | download will be initiated, which unequivocally reveals the validity | of the user. It's unclear whether this was reported upstream: https://www.incibe.es/en/incibe-cert/notices/aviso/disclosure-sensitive-information-horde-groupware If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-41066 https://www.cve.org/CVERecord?id=CVE-2025-41066 Please adjust the affected versions in the BTS as needed.
