Disclosure of sensitive information in Horde Groupware
Groupware, version 5.2.22.
INCIBE has coordinated the publication of a medium-severity vulnerability affecting Horde Groupware, a browser-based business collaboration suite that allows users to manage and share calendars, contacts, tasks, etc. The vulnerability was discovered by Amador Aparicio.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:
CVE-2025-41066: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-200
No solution has been reported at this time.
CVE-2025-41066: Horde Groupware v5.2.22 has a user enumeration vulnerability that allows an unauthenticated attacker to determine the existence of valid accounts on the system. To exploit the vulnerability, an HTTP request must be sent to ‘/imp/attachment.php’ including the parameters ‘id’ and ‘u’. If the specified user exists, the server will return the download of an empty file; if it does not exist, no download will be initiated, which unequivocally reveals the validity of the user.
