Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CVE-2022-30287
Summary
Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- REQUIRED
- LOW
- HIGH
- HIGH
CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
References
Advisory Timeline
- Published