CVE-2019-12095
Description
Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- Horde/Horde Groupware Webmail Editiondescription
- Range: >=5.2.22
- Range: <=5.2.22
Patches
Vulnerability mechanics
Root cause
"Missing CSRF protection on the bookmark creation action and insufficient sanitization of the `treanBookmarkTags` parameter allow stored XSS."
Attack vector
An attacker sends a crafted email or link to the victim; when the victim visits the attacker's `index.html` page while authenticated to the Horde webmail server, a cross-site request forgery (CSRF) is performed. The page issues an XMLHttpRequest POST to `/trean/` with `actionID=add_bookmark` and a `treanBookmarkTags` parameter containing a stored XSS payload that loads `stealer.js` from the attacker's server [ref_id=1]. The injected script then iterates through the victim's inbox messages and exfiltrates them to the attacker's `stealer.php` endpoint [ref_id=1].
Affected code
The vulnerability resides in the Trean Bookmarks module (default in Horde Groupware). The CSRF attack targets the `add_bookmark` action via a POST to the `/trean/` URI, where the `treanBookmarkTags` parameter is attacker-controlled [ref_id=1]. No patch is included in the bundle.
What the fix does
The bundle does not contain a patch or official remediation. The advisory [ref_id=1] describes the vulnerability chain but does not provide a fix commit or vendor advisory. To close the issue, the application should implement anti-CSRF tokens on the bookmark creation form and properly encode or sanitize the `treanBookmarkTags` parameter before rendering to prevent stored XSS.
Preconditions
- authVictim must be authenticated to the Horde webmail server
- inputVictim must visit the attacker's malicious page (e.g., index.html) while authenticated
- configTrean Bookmarks module must be installed (default in Horde Groupware)
Reproduction
1. Host `index.html` (containing the CSRF + XSS payload), `stealer.js`, and `stealer.php` on an attacker-controlled server. 2. Send the victim a link to `index.html`. 3. When the victim (authenticated to the Horde webmail) visits the page, a CSRF POST to `/trean/` creates a bookmark with a stored XSS payload in `treanBookmarkTags`. 4. The XSS loads `stealer.js`, which fetches inbox messages via `imp/view.php?actionID=view_source` and POSTs them to `stealer.php` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- bugs.horde.org/ticket/14926mitrex_refsource_MISC
- cxsecurity.com/issue/WLB-2019050199mitrex_refsource_MISC
- exchange.xforce.ibmcloud.com/vulnerabilities/161333mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/12/msg00015.htmlmitremailing-listx_refsource_MLIST
- numanozdemir.com/respdisc/horde/horde.mp4mitrex_refsource_MISC
- numanozdemir.com/respdisc/horde/horde.txtmitrex_refsource_MISC
- packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.htmlmitrex_refsource_MISC
- www.exploit-db.com/exploits/46903mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.