Horde is a very popular free, enterprise-ready, browser-based communication suite. It is used mainly by universities and libraries, and a lot of web hosting providers use it as their default email client.
Security researcher, Numan Ozdemir, found certain weaknesses in the open-source web email software, that allows hackers to delete and download users inboxes.
The attacker has to send an e-mail and trick the victim into clicking a malicious link to get access to all the content in the account. Security researchers usually wait three months after they find an issue to make it public, giving organizations time to fix the breach.
On this occasion, Horde has yet to make any statements related to the problem. The National Institute of Standards and Technology said the flaws pose a “high” security risk to users.
Ozdemir says that with the latest version of the Horde Webmail update, some of the vulnerabilities were fixed, but not all.
Horde still hasn’t publicly stated if any issues were fixed or if users of older versions are still at risk. Ozdemir’s bug report filed with Horde remains open.